none
How to get rid of "Apply these permissions to objects and/or containers within this container only" check mark? RRS feed

  • Question

  • Hi there,

    Is there a way in powershell to get rid of the check mark on "Apply these permissions to objects and/or containers within this container only" ?

    Thank you,

    Wednesday, August 13, 2014 6:51 PM

Answers

  • That checkbox corresponds to the 'NoPropagateInherit' propagation flag on a container (folder, registry key, AD object, etc) access control entry (ACE). The box is checked when the flag is present.

    .NET ACE objects are read only, so you can't directly modify one. You can replace the "bad" ACE with a new one, though.

    The following code should work if you're just changing the discretionary ACL (access entries) on a folder object. If you're working with the SACL (auditing entries) and/or something other than a folder, it'll need to be modified slightly. Give it a shot and let me know if it works:

    $FolderPath = "d:\folder"
    
    # Get-Item could be replaced w/ a Get-ChildItem call that only applies to folders
    Get-Item $FolderPath | ForEach-Object {
        # Get the security descriptor (try/catch used b/c Get-Acl always throws
        # terminating errors)
        try {
            $Acl = Get-Acl $FolderPath 
        }
        catch {
            Write-Error $_
            return
        }
    
        # Look for ACEs that only have NoPropagateInherit set:
        $Acl.Access | 
            where { $_.IsInherited -eq $false -and $_.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit } | 
            ForEach-Object {
                # Create an ACE that matches the original except w/o NoPropagateInherit flag set
                $NewAce = New-Object System.Security.AccessControl.FileSystemAccessRule (
                    $_.IdentityReference,
                    $_.FileSystemRights,
                    $_.InheritanceFlags,
                    ($_.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::InheritOnly),
                    $_.AccessControlType
                )
    
                # SetAccessRule() method will overwrite the matching original ACE
                $Acl.SetAccessRule($NewAce)
            }
    
        # At this point, you would save the ACL to make the changes permanent
        #$_.SetAccessControl($Acl)
    }

    Someone may have an easier solution, but that's the simplest way I can think of using native PS code. Let me know if you have any questions.

    If you do a lot of this kind of thing interactively from the shell, take a look at the PowerShell Access Control module.


    • Edited by Rohn Edwards Wednesday, August 13, 2014 8:16 PM
    • Marked as answer by Athos101 Thursday, August 14, 2014 12:48 PM
    Wednesday, August 13, 2014 8:12 PM

All replies

  • That checkbox corresponds to the 'NoPropagateInherit' propagation flag on a container (folder, registry key, AD object, etc) access control entry (ACE). The box is checked when the flag is present.

    .NET ACE objects are read only, so you can't directly modify one. You can replace the "bad" ACE with a new one, though.

    The following code should work if you're just changing the discretionary ACL (access entries) on a folder object. If you're working with the SACL (auditing entries) and/or something other than a folder, it'll need to be modified slightly. Give it a shot and let me know if it works:

    $FolderPath = "d:\folder"
    
    # Get-Item could be replaced w/ a Get-ChildItem call that only applies to folders
    Get-Item $FolderPath | ForEach-Object {
        # Get the security descriptor (try/catch used b/c Get-Acl always throws
        # terminating errors)
        try {
            $Acl = Get-Acl $FolderPath 
        }
        catch {
            Write-Error $_
            return
        }
    
        # Look for ACEs that only have NoPropagateInherit set:
        $Acl.Access | 
            where { $_.IsInherited -eq $false -and $_.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit } | 
            ForEach-Object {
                # Create an ACE that matches the original except w/o NoPropagateInherit flag set
                $NewAce = New-Object System.Security.AccessControl.FileSystemAccessRule (
                    $_.IdentityReference,
                    $_.FileSystemRights,
                    $_.InheritanceFlags,
                    ($_.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::InheritOnly),
                    $_.AccessControlType
                )
    
                # SetAccessRule() method will overwrite the matching original ACE
                $Acl.SetAccessRule($NewAce)
            }
    
        # At this point, you would save the ACL to make the changes permanent
        #$_.SetAccessControl($Acl)
    }

    Someone may have an easier solution, but that's the simplest way I can think of using native PS code. Let me know if you have any questions.

    If you do a lot of this kind of thing interactively from the shell, take a look at the PowerShell Access Control module.


    • Edited by Rohn Edwards Wednesday, August 13, 2014 8:16 PM
    • Marked as answer by Athos101 Thursday, August 14, 2014 12:48 PM
    Wednesday, August 13, 2014 8:12 PM
  • Thank you, that would do it. I will definitively take a look at the Access Control module. Thanks again.
    Thursday, August 14, 2014 12:50 PM