PowerShell: Set-Acl Does Not Appear to Work

If you've ever dealt with NTFS permissions in VBScript, you will no doubt appreciate just how easy PowerShell now makes it to manage access control lists. Basic examples in PowerShell books and around the 'net look something like this:

$directory = "Test" $acl = Get-Acl $directory $accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("IUSR_CRACKLIN", "Modify", "Allow") $acl.AddAccessRule($accessrule) set-acl -aclobject $acl $directory

In the example above, user "IUSR_CRACKLIN" is given Modify access to the Test directory. Running the code above will not produce any errors but upon checking permission via the GUI, it seems as though the user was added, but no permissions were set.

Image not found

Web path: https://blog.netnerds.net/images/acl-blank.gif

Disk path: /static/images/acl-blank.gif

Using Page Bundles: false

I thought that perhaps this was an issue with Vista and I tried it on Windows Server 2003. And that's when I noticed that the directory had been given "Special Permissions." When I checked the Advanced permissions, I could see that Modify access had been assigned, but only to "This Folder." Other folders that had the checkboxes checked listed "This Folder, subfolders and files"

Image not found

Web path: https://blog.netnerds.net/images/acl-advanced.gif

Disk path: /static/images/acl-advanced.gif

Using Page Bundles: false

Since I wanted the Test directory permissions to match the others, I searched the Google to see which flags would give me "This Folder, subfolders and files." I found Damir Dobric's blog post titled "Directory Security and Access Rules which sported a handy reference table flags that must be set to achieve various scenarios.

Subfolders and Files onlyInheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly
This Folder, Subfolders and Files   InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.None
This Folder, Subfolders and FilesInheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit
This folder and subfoldersInheritanceFlags.ContainerInherit, PropagationFlags.None
Subfolders onlyInheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly
This folder and filesInheritanceFlags.ObjectInherit, PropagationFlags.None
This folder and filesInheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit

So it setting the following should give me what I need:
InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit and PropagationFlags.None.

$directory = "Test" $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit" $propagation = [system.security.accesscontrol.PropagationFlags]"None" $acl = Get-Acl $directory $accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("IUSR_CRACKLIN", "Modify", $inherit, $propagation, "Allow") $acl.AddAccessRule($accessrule) set-acl -aclobject $acl $directory

I then checked the permissions and voila:

Image not found

Web path: https://blog.netnerds.net/images/acl-fixed.gif

Disk path: /static/images/acl-fixed.gif

Using Page Bundles: false

Imagine that.. PowerShell can set any number of permissions with about 6 lines of code while VBScript requires over 36 lines JUST to set the constants needed for managing permissions. I'm so excited thinking about the possibilities: PowerShell + Windows Core + SSH is going to be awesome.