Changing permissions with powershell doesn't propogate to children
When I set a new filesystemaccess rule with powershell and set-acl, I set the inheritance flags to propagate to children and leaf objects
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"username","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))
Set-Acl -path $filename -aclObject $acl
When I look at the permission in explorer.. in the security tab.. advanced.. the propagation is set correctly. But if I look at the children themselves, they do NOT show the new security rule.
If in explorer, I add another rule with a different SID.. and save it (without forcing the option to 'replace all child object permissions...'). Then both the manual, and the powershell rule shows up on the children. Its as if there is some sort of kickstart needed to cause the children to pick up the new propagated rule. What am I missing to make the child objects show the new rule added?
Answer
I have had the same logical problem...
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"username","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))
With that last 'none' you are saying: do not propogate... Change to:
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"username","FullControl", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow")))
and it will propagate your settings. Check out the access rule options here: http://msdn.microsoft.com/en-us/library/ms147785.aspx
These are the propagation flags: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx