locked
Powershell Set-ACL not setting permissions on child objects. RRS feed

  • Question

  • The permissions get set correctly on the parent folder but not the sub folders.

    $Apps = "D:\Apps"
    $acls = get-acl $Apps
    $acls | select path -expand access | format-table
    $obj = New-Object System.Security.AccessControl.FileSystemAccessRule("AD\Group",,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
    $acls.AddAccessRule($obj)
    $acls | select path -expand access | format-table
    $acls | Set-Acl $Apps

    What am I missing on this script?

    Thank you

    Charles

    • Moved by Mary Dong Monday, October 23, 2017 2:46 AM more related to be powershell support
    Friday, October 20, 2017 12:40 PM

Answers

  • Hi Charles,

    Based on the test in my lab, you scripts might have no problem.
    In this case, I recommend you could have a try to disable inheritance and enable inheritance on the subfolder again to see whether the issue remains.

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by CharlesWhite Tuesday, October 24, 2017 3:30 PM
    Tuesday, October 24, 2017 8:31 AM
  • Albert, setting the permission on each folder works, but I have quite a few folders.

    I opted to just tag on this icacls command at the end.

    cmd /c "icacls D:\Apps /grant `"Creator Owner`":(OI)(CI)(IO)F"

    This way, powershell is setting the permissions and icacls is propagating them. I could write it to use icacls only but I have this working already. 

    Thanks for the help

    Charles

    • Marked as answer by CharlesWhite Tuesday, October 24, 2017 3:30 PM
    Tuesday, October 24, 2017 3:30 PM

All replies

  • Hi Charles,

    Have you enabled inheritance on the subfolders?
    Based on my research, subfolders need to enable inheritance so that they could apply the access control entries from the parent folder.
    In this case, I recommend you could have a try with the following scripts to check the inheritance information on the subfolders, and True means the folder has disabled inheritance. Hope it is helpful to you:
    $subfolders = Get-ChildItem -Path 'D:\Apps' -Recurse | Where-Object {$_.Attributes -eq 'Directory'}
    foreach ($subfolder in $subfolders)
    {
        $inheritance = (Get-Acl -Path $subfolder.FullName).AreAccessRulesProtected
        Write-Host $subfolder,$inheritance
    }

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 23, 2017 5:53 AM
  • Albert,

    When I run that script, everything shows up as false. 

    From what I have been reading, this was a known issue a couple of years ago. Not sure if there was ever a fix for it or not.

    Charles

    Monday, October 23, 2017 11:10 AM
  • Hi Charles,

    Based on the test in my lab, you scripts might have no problem.
    In this case, I recommend you could have a try to disable inheritance and enable inheritance on the subfolder again to see whether the issue remains.

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by CharlesWhite Tuesday, October 24, 2017 3:30 PM
    Tuesday, October 24, 2017 8:31 AM
  • In the GUI we have the permissions wizard which can adjust the settings on all child objects.  There is no API that can do this.  It is done by enumerating all children and adjusting them as needed.

    In the PowerShell Gallery (OneGet) we have this module:

    Find-Module NTFSSecurity

    This module can reset recursively.

    There is also a version in the TechNet gallery.


    \_(ツ)_/

    Tuesday, October 24, 2017 8:37 AM
  • Albert, setting the permission on each folder works, but I have quite a few folders.

    I opted to just tag on this icacls command at the end.

    cmd /c "icacls D:\Apps /grant `"Creator Owner`":(OI)(CI)(IO)F"

    This way, powershell is setting the permissions and icacls is propagating them. I could write it to use icacls only but I have this working already. 

    Thanks for the help

    Charles

    • Marked as answer by CharlesWhite Tuesday, October 24, 2017 3:30 PM
    Tuesday, October 24, 2017 3:30 PM
  • Use the following command to reset all permissions on the Child Items and enable inheritance.

    icacls "C:\test\*" /reset /T

    When running this command from a power shell script add --% before any parameters

    icacls --% "C:\test\*" /reset /T

    Friday, April 26, 2019 11:47 AM