PowerShell for Windows Admins

Jun 10 2014   12:44PM GMT

File system ACLS – inheritance

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

NTFS permissions

When you look at a FileSystemAccessRule it’llbe something like this:

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

So far we haven’t dealt with the three inheritance flags.

Isinherited indicates that the permission is inherited from further up the file system tree

The Inheritance flags –  http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags(v=vs.110).aspx – are from the System.Security.AccessControl.InheritanceFlags enumeration:


ContainerInherit – child containers (folders) inherit the permission

ObjectInherit – child leaf objects (files) inherit the permission

The popagation flags are from the System.Security.AccessControl.PropagationFlags enumeration – http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags(v=vs.110).aspx

None – no inheritance flags are present

InheritOnly – ACE is propagated to child containers and leaf objects

NoPropagateInherit – specifies the ACE is NOT propagated to child objects

This leads to our function being modified to look like this:

function add-acl {
param (
[ValidateScript({Test-Path -Path $_ })]


[ValidateSet(“Read”, “Write”, “ListDirectory”, “ReadandExecute”, “Modify”, “FullControl”)]
[string]$permission = “Read”,






$fsr = [System.Security.AccessControl.FileSystemRights]::$permission
if ($containerinherit -OR $objectinherit) {
$propflag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
else {
$propflag = [System.Security.AccessControl.PropagationFlags]::None


if ($containerinherit) {
$inhflag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit

if ($objectinherit) {
$inhflag = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit

if ($NOinherit) {
$inhflag = [System.Security.AccessControl.InheritanceFlags]::None

if ($deny) {
$alwdny = [System.Security.AccessControl.AccessControlType]::Deny
else {
$alwdny = [System.Security.AccessControl.AccessControlType]::Allow
$acr = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $trusteeName, $fsr, $inhflag, $propflag, $alwdny

$acl = Get-Acl -Path $path
Set-Acl -Path $path -AclObject $acl -Passthru

Examples of use:

add-acl -path C:\Test -trusteeName “$($env:COMPUTERNAME)\NewUser” -permission FullControl -NOinherit
add-acl -path C:\Test -trusteeName “$($env:COMPUTERNAME)\NewUser” -permission FullControl -containerinherit
add-acl -path C:\Test -trusteeName “$($env:COMPUTERNAME)\NewUser” -permission FullControl -objectinherit

Set the permissions on the folder, the subfolders and the files respectively.

If you want all three – run it three times as above

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: