0

I am adding ADGroups to folder permissions (Permissions are being applied correctly). How can I prevent the ADGroups that I am adding from inheriting?

I have tried just about everything and variation I.G.

$InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]@("ContainerInherit,ObjectInherit") $InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]::"ContainerInherit,ObjectInherit" $InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit" $InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit" $InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit"

Also tried the following combinations with the above.

$PropagationFlag=[System.Security.AccessControl.PropagationFlags]"None" $PropagationFlag=[System.Security.AccessControl.PropagationFlags]::None $PropagationFlag=[System.Security.AccessControl.PropagationFlags]::InheritOnly $PropagationFlag=[System.Security.AccessControl.PropagationFlags]::NoPropagateInherit

And also with quotes. In addition to:

$ACL.SetAccessRuleProtection($true,$true) |Set-Acl $sFoldPath $ACL.SetAccessRuleProtection($false,$false) |Set-Acl $sFoldPath $ACL.SetAccessRuleProtection($true,$false) |Set-Acl $sFoldPath

I have been at this for 4/5 days and have load just about every link on the 1st 2 pages of my various search results. Plus last night and today researched every suggestion from StackOverflow before posting here for help.

I am at a complete loss as to what I am not doing correctly and am now reaching out to the community for any help or insights that you could provide. 


$InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]@("ContainerInherit,ObjectInherit") # "ContainerInherit,ObjectInherit"
$PropagationFlag=[System.Security.AccessControl.PropagationFlags]"None" # "InheritOnly" # NoPropagateInherit # This property is significant only when the value of the InheritanceFlags enumeration is not None.
$AccessControlType=[System.Security.AccessControl.AccessControlType]"Allow "


    ForEach ($oCol in $oCSVData){
                   $sFoldPath=$oCol.'FolderPath'.Trim()           
           $IdentityReference=$oCol.'GroupNames'.Trim()

If ($IdentityReference.Substring($IdentityReference.Length - 2) -eq '_R') {
        $sPermission= ('ReadAndExecute','Read','ListDirectory')
  }  Else {
        $sPermission='Modify' 
} 

$ACL = Get-Acl $sFoldPath

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference,$sPermission,$InheritanceFlag,$PropagationFlag,'Allow')

$ACL.SetAccessRuleProtection($true,$true)

$ACL.AddAccessRule($AccessRule) 

$ACL | Set-Acl $sFoldPath
    }

My requirements are that I need to associate an AD Group with a folder, assign the permissions and make sure the AD Groups permissions are visible in the context window; and not being assigned as special permissions. Lastly, the Ad Groups permissions are not being inherited.

ShaggyRogers
  • 121
  • 7

2 Answers2

0

I have a script that does almost the exact same thing that you are asking for. Here is what I have found that works:

$folderACL = Get-ACL (Path\to\folder)

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"

$accessRule = New-Object system.security.accesscontrol.filesystemaccessrule("Domain\User","Modify", $inherit, $propagation, "Allow")

$folderACL.SetAccessRule($accessRule)

#Set folder inheritance to off
$folderAcl.SetAccessRuleProtection($True,$false)

Set-Acl (Path\to\folder) -AclObject $folderAcl
Shamus Berube
  • 466
  • 3
  • 12
0

If you are looking for users to be able to view the contents of the directory, and be able to access files within that directory you only need the ObjectInherit inheritance flag, and no propagation flags. It sounds like you are just trying to add access to a specific folder for a specific group, so unless you are trying to removed inherited rights (such as, do you really want to remove rights for the SYSTEM account, or Domain Admins?) you can skip the SetAccessRuleProtection step. I think this should do what you want:

$InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit" # ObjectInherit ensurs only objects are accessable, not subfolders
$PropagationFlag=[System.Security.AccessControl.PropagationFlags]"NoPropagateInherit"

ForEach ($oCol in $oCSVData){
    $sFoldPath=$oCol.'FolderPath'.Trim()           
    $IdentityReference=$oCol.'GroupNames'.Trim()

    $sPermission= If ($IdentityReference.Substring($IdentityReference.Length - 2) -eq '_R') {
         'ReadAndExecute,ListDirectory'
    }  Else {
         'Modify' 
    } 

    $ACL = Get-Acl $sFoldPath

    $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference,$sPermission,$InheritanceFlag,$PropagationFlag,'Allow')

    $ACL.AddAccessRule($AccessRule) 

    $ACL | Set-Acl $sFoldPath
}
TheMadTechnician
  • 34,906
  • 3
  • 42
  • 56
  • Hi Mad, I agree with what you're saying. I do need to preserve Sys, Admin & Domain Admins. I modified the code per your recommendations (ObjectInherit & leave out "SetAccessRuleProtection"). The result is more Groups inheriting access to the folder(s). I saved an image here's the URL: https://ibb.co/G9swLsS – ShaggyRogers Apr 16 '19 at 20:33
  • Right, I screwed up the propagation flags. It should be `NoPropagateInherate`. I'll update my answer to reflect that. – TheMadTechnician Apr 16 '19 at 23:20
  • Thanks, I added "NoPropagateInherate" everything worked but the context menu is showing permissions as special (https://ibb.co/HCtFhp2). I need to have the permissions populated in the context menu (https://ibb.co/v33ZcP1). Any other suggestions or insights? Thanks in advance – ShaggyRogers Apr 17 '19 at 13:24
  • You can't, not without disabling inheritance on every folder you own. – TheMadTechnician Apr 17 '19 at 18:55