locked
Breaking permissions inheritance with powershell to secure a folder RRS feed

  • Question

  • Hi,

    I am trying to secure a series of folders using powershell to set file system permissions.  'Standard' user access is granted by assigning write permissions to an AD security group (eg 'contoso\staff') on the top level folder.   The user account I am using has full control permissions on that top level folder. I start by creating a sub-folder, and then apply permissions as follows

    new-item -path 'c:\temp' -ItemType Container -Name 'New'
    $acl = (get-item -Path 'c:\Temp\New').GetAccessControl('Access');
    $acl.SetAccessRuleProtection($true,$true);
    $defaultpermissions = $acl.Access | where-object -Filter {$_.IdentityReference -eq 'CONTOSO\staff'};
    if ($defaultpermisssions -ne $null) 
    {
    $acl.RemoveAccessRuleAll($defaultpermissions);
    ) else { write-host "Can't find default permissions"; } 
    $ar = new-object System.Security.AccessControl.FileSystemAccessRule('contoso\managers','Modify','ContainerInherit,ObjectInherit','None','Allow');
    $acl.AddAccessRule($ar);
    set-acl -path 'c:\temp\New' -AclObject $acl

    The script results in the 'manager' permissions being added, but the 'staff' permissions are not removed.

    Alternatively if I break the permissions inheritance and apply that before removing the access to 'staff' it appears to work if I have elevated, but not if I have not. (see below)

    new-item -path 'c:\temp' -ItemType Container -Name 'New'
    $acl = (get-item -Path 'c:\Temp\New').GetAccessControl('Access');
    $acl.SetAccessRuleProtection($true,$true);
    
    #apply permissions and get them again
    set-acl -path 'c:\temp\New' -AclObject $acl
    $acl = (get-item -Path 'c:\Temp\New').GetAccessControl('Access');
    
    #then remove default access and add manager access
    $defaultpermissions = $acl.Access | where-object -Filter {$_.IdentityReference -eq 'CONTOSO\staff'};
    if ($defaultpermisssions -ne $null) 
    {
    $acl.RemoveAccessRuleAll($defaultpermissions);
    ) else { write-host "Can't find default permissions"; } 
    $ar = new-object System.Security.AccessControl.FileSystemAccessRule('contoso\managers','Modify','ContainerInherit,ObjectInherit','None','Allow');
    $acl.AddAccessRule($ar);
    set-acl -path 'c:\temp\New' -AclObject $ac

    What I do not understand is why I need to elevate after I have broken permissions inheritance, but not before even if I have copied permissions and appear to have the same permissions after the break

    Monday, September 19, 2016 6:57 AM