Setting Inheritance and Propagation flags with set-acl and powershell

powershell permissions file-permissions
Tim AtLee picture Tim AtLee · Jul 19, 2010 · Viewed 106.3k times · Source

I am trying to mimic the action of right-clicking on a folder, setting "modify" on a folder, and having the permissions apply to the specific folder and subfolders and files.

I'm mostly there using Powershell, however the inheritance is only being set as "subfolders and files" instead of the whole "this folder, subfolders and files".

Is there some unlisted flag for System.Security.AccessControl.PropagationFlags that will set this properly?

Here's what I'm working with so far.

$Folders = Get-childItem c:\TEMP\
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$objType = [System.Security.AccessControl.AccessControlType]::Allow 

foreach ($TempFolder in $Folders)
{
echo "Loop Iteration"
$Folder = $TempFolder.FullName

$acl = Get-Acl $Folder
$permission = "domain\user","Modify", $InheritanceFlag, $PropagationFlag, $objType
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission

$acl.SetAccessRule($accessRule)
Set-Acl $Folder $acl
}

Answer

Nick Sarabyn picture Nick Sarabyn · Dec 5, 2011

Here's a table to help find the required flags for different permission combinations.

    ╔═════════════╦═════════════╦═══════════════════════════════╦════════════════════════╦══════════════════╦═══════════════════════╦═════════════╦═════════════╗
    ║             ║ folder only ║ folder, sub-folders and files ║ folder and sub-folders ║ folder and files ║ sub-folders and files ║ sub-folders ║    files    ║
    ╠═════════════╬═════════════╬═══════════════════════════════╬════════════════════════╬══════════════════╬═══════════════════════╬═════════════╬═════════════╣
    ║ Propagation ║ none        ║ none                          ║ none                   ║ none             ║ InheritOnly           ║ InheritOnly ║ InheritOnly ║
    ║ Inheritance ║ none        ║ Container|Object              ║ Container              ║ Object           ║ Container|Object      ║ Container   ║ Object      ║
    ╚═════════════╩═════════════╩═══════════════════════════════╩════════════════════════╩══════════════════╩═══════════════════════╩═════════════╩═════════════╝

So, as David said, you'll want 

InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit
PropagationFlags.None

Related questions

PowerShell Setting advanced NTFS permissions

I'm trying to apply NTFS permissions that are defined in the 'Advanced' tab of the Windows security settings. One ACL $Rule is for This folder only and another one is for the Subfolders and files only. The permissions are heavily …

Read More
Sharing a folder and setting permissions in PowerShell

I need a script to run on Vista Ultimate to share an external drive and assign full control to Everyone. I've got a batch file to create the share using net share, but there doesn't seem to be a way …

Read More
How to Grant permission to user on Certificate private key using powershell?

Certificate is already installed on machine. Now I want to give read permission on PrivateKey of Certificate to application user.

Read More