Search code examples
powershellpermissionsacl

ACL rights, multiple inheritance from string value

I am trying to make a function that will set ACL permissions, with all the data coming from XML as strings, and I am haven trouble with the Inheritance part. with this code...

$workingPermissions = Get-Acl $target
                $acRights = [System.Security.AccessControl.FileSystemRights]$rights 
                $acInheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::$inheritance
                $acPropagationFlag = [System.Security.AccessControl.PropagationFlags]::$propagation 
                $acType =[System.Security.AccessControl.AccessControlType]::Allow 
                $acUser = New-Object System.Security.Principal.NTAccount($principal) 
                $acEntry = New-Object System.Security.AccessControl.FileSystemAccessRule ($acUser, $acRights, $acInheritanceFlag, $acPropagationFlag, $acType)

everything works fine when only one inheritance flag is used, but when $inheritance = "ContainerInherit,ObjectInherit" it fails. $rights is built the same way, but my understanding is that for whatever reason Inheritance (and Propagation?) don't behave the same way. I found this thread from a few years back, and I am not seeing where the -bor based solution would allow for any string based input. Indeed, I am not understanding it at all, as it seems like $is is just being set to an enumeration, which of course contains both of the enumerations where $flag is set. Anyway, hoping someone can provide the kick my own code needs, and perhaps clue me in on what is really happening in the linked solution too.

Solution

  • Leave the Propogation flag as None,

    Try this one, it works for me

    $SAMAccountName = "SamAccountName" ## Type your User/Group SamAccountName
$Rights = "ReadAndExecute"
$InheritanceFlag = @("ContainerInherit","ObjectInherit")
$PropagationFlag = "None"
$AccessType = "Allow"

$NTAccount = [System.Security.Principal.NTAccount]($SAMAccountName)
$IdentityReference = $NTAccount.Translate([System.Security.Principal.SecurityIdentifier])
$AccessRights = [System.Security.AccessControl.FileSystemRights] $Rights
$InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]$InheritanceFlag
$PropagationFlags = [System.Security.AccessControl.PropagationFlags]$PropagationFlag
$Type = [System.Security.AccessControl.AccessControlType]$AccessType
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference, $AccessRights, $InheritanceFlags,$PropagationFlags,$Type)
$ACL = Get-Acl $Folder
$ACL.AddAccessRule($AccessRule)
Set-Acl -Path $Folder -AclObject $ACL