How to propagate permissions from reference file to all files in a directory in Windows?

Question

I'm trying to serve a web page locally using IIS, but I am having trouble programmatically setting the permissions for all the files in my wwwroot directory. When I use the Set-Acl PowerShell directive with a reference file that has the necessary permissions, I only see exactly two changes propagate: The owner is changed, and RW permissions for the group IIS_USRS are added.

PS C:\WINDOWS\system32> $newAcl = Get-Acl C:\inetpub\wwwroot\
PS C:\WINDOWS\system32> Get-ChildItem C:\inetpub\wwwroot\ -Recurse -Force | Set-Acl -AclObject $newAcl
PS C:\WINDOWS\system32>

So my question is, what am I doing wrong? How can I get these more detailed permissions to propagate fully? (I've also tried checking and applying Replace all existing inheritable permissions on all descendants with inheritable permissions from this object, but it doesn't seem to help either.)

Answer 1

Are you sure you are specifying the originating file or directory (and not an inheritor) for the permissions you want to copy?

If you specify (in $newAcl) an inheritor to the permissions you want, then Set-Acl will only propagate the permissions that the file itself has originally (that is, without having been inherited) and you'll not see the inherited permissions on the files whose permissions you are setting.

To get the inherited permissions, you can either use Helge Klein's SetACL or you can specify an ancestral (higher up) directory or file in your Get-Acl assignment.

So if C:\inetpub\wwwroot\ is inheriting a large part of its permissions from C:\inetpub\, then you'll want $newAcl = Get-Acl C:\inetpub\ in the snippet PowerShell command you provided.