将安全AD组添加到文件夹权限，而不允许继承

Question

I am adding ADGroups to folder permissions (Permissions are being applied correctly). How can I prevent the ADGroups that I am adding from inheriting?

I have tried just about everything and variation IG

$InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]@("ContainerInherit,ObjectInherit") $InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]::"ContainerInherit,ObjectInherit" $InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit" $InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit" $InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit"

Also tried the following combinations with the above.

$PropagationFlag=[System.Security.AccessControl.PropagationFlags]"None" $PropagationFlag=[System.Security.AccessControl.PropagationFlags]::None $PropagationFlag=[System.Security.AccessControl.PropagationFlags]::InheritOnly $PropagationFlag=[System.Security.AccessControl.PropagationFlags]::NoPropagateInherit

And also with quotes. In addition to:

$ACL.SetAccessRuleProtection($true,$true) |Set-Acl $sFoldPath $ACL.SetAccessRuleProtection($false,$false) |Set-Acl $sFoldPath $ACL.SetAccessRuleProtection($true,$false) |Set-Acl $sFoldPath

I have been at this for 4/5 days and have load just about every link on the 1st 2 pages of my various search results. Plus last night and today researched every suggestion from StackOverflow before posting here for help.

I am at a complete loss as to what I am not doing correctly and am now reaching out to the community for any help or insights that you could provide.

$InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]@("ContainerInherit,ObjectInherit") # "ContainerInherit,ObjectInherit"
$PropagationFlag=[System.Security.AccessControl.PropagationFlags]"None" # "InheritOnly" # NoPropagateInherit # This property is significant only when the value of the InheritanceFlags enumeration is not None.
$AccessControlType=[System.Security.AccessControl.AccessControlType]"Allow "


    ForEach ($oCol in $oCSVData){
                   $sFoldPath=$oCol.'FolderPath'.Trim()           
           $IdentityReference=$oCol.'GroupNames'.Trim()

If ($IdentityReference.Substring($IdentityReference.Length - 2) -eq '_R') {
        $sPermission= ('ReadAndExecute','Read','ListDirectory')
  }  Else {
        $sPermission='Modify' 
} 

$ACL = Get-Acl $sFoldPath

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference,$sPermission,$InheritanceFlag,$PropagationFlag,'Allow')

$ACL.SetAccessRuleProtection($true,$true)

$ACL.AddAccessRule($AccessRule) 

$ACL | Set-Acl $sFoldPath
    }

My requirements are that I need to associate an AD Group with a folder, assign the permissions and make sure the AD Groups permissions are visible in the context window; and not being assigned as special permissions. Lastly, the Ad Groups permissions are not being inherited.

Answer 1

I have a script that does almost the exact same thing that you are asking for. Here is what I have found that works:

$folderACL = Get-ACL (Path\to\folder)

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"

$accessRule = New-Object system.security.accesscontrol.filesystemaccessrule("Domain\User","Modify", $inherit, $propagation, "Allow")

$folderACL.SetAccessRule($accessRule)

#Set folder inheritance to off
$folderAcl.SetAccessRuleProtection($True,$false)

Set-Acl (Path\to\folder) -AclObject $folderAcl

Answer 2

If you are looking for users to be able to view the contents of the directory, and be able to access files within that directory you only need the ObjectInherit inheritance flag, and no propagation flags. It sounds like you are just trying to add access to a specific folder for a specific group, so unless you are trying to removed inherited rights (such as, do you really want to remove rights for the SYSTEM account, or Domain Admins?) you can skip the SetAccessRuleProtection step. I think this should do what you want:

$InheritanceFlag=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit" # ObjectInherit ensurs only objects are accessable, not subfolders
$PropagationFlag=[System.Security.AccessControl.PropagationFlags]"NoPropagateInherit"

ForEach ($oCol in $oCSVData){
    $sFoldPath=$oCol.'FolderPath'.Trim()           
    $IdentityReference=$oCol.'GroupNames'.Trim()

    $sPermission= If ($IdentityReference.Substring($IdentityReference.Length - 2) -eq '_R') {
         'ReadAndExecute,ListDirectory'
    }  Else {
         'Modify' 
    } 

    $ACL = Get-Acl $sFoldPath

    $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference,$sPermission,$InheritanceFlag,$PropagationFlag,'Allow')

    $ACL.AddAccessRule($AccessRule) 

    $ACL | Set-Acl $sFoldPath
}