Explain for beginners the ACL object property "SetAccessRuleProtection" in PowerShell with examples
Examples
Actually, there's only 3 scenarios:
$acl.SetAccessRuleProtection($True, $True)
$acl.SetAccessRuleProtection($True, $False)
$acl.SetAccessRuleProtection($False, X) -- preserveInheritance is ignored when isProtected is false
So your first example is as described except for your "Furthermore..." part. preserveInheritance plays no part in that example.
Your second example is correct, everything is removed and only the owner will have access.
In line with your previous examples, an example of the (True, True) scenario would be
$fpath = "\\server\grandfather\parent"
New-Item -ItemType directory -Path $fpath
$acl = Get-Acl $fpath
$acl.SetAccessRuleProtection($False, $True)
Set-Acl $fpath $acl | Out-Null
$spath = "\\server\grandfather\parent\son"
New-Item -ItemType directory -Path $spath
$acl = Get-Acl $spath
$acl.SetAccessRuleProtection($True, $False)
Set-Acl $spath $acl | Out-Null
$dpath = "\\server\grandfather\parent\daughter"
New-Item -ItemType directory -Path $spath
$acl = Get-Acl $spath
$acl.SetAccessRuleProtection($True, $True)
Set-Acl $spath $acl | Out-Null
This would result in the daughter folder having exactly the same permissions as the parent but, crucially, they wouldn't be marked as inherited. They would be marked as permissions explicitly on the daughter folder.
Why the examples aren't really appropriate
The examples above are brand new folders so having nothing past the default permissions. Additionally, since the default permissions are inherited automatically, all the child folders will already have the same sets of permissions. Using Set-Acl and SetAccessRuleProtection in this scenario, without modifying the acl, doesn't really offer much.
A typical usage of SetAccessRuleProtection is to control what happens to existing AccessRules when modifying an ACL. i.e. Adding a new user to the ACL with modify permissions. Do you want to
- Add the new user and preserve all current permissions:
SetAccessRuleProtection(False, X) - Add the new user and remove all inherited permissions:
SetAccessRuleProtection(True, False) - Add the new user and convert all inherited permissions to explicit permissions:
SetAccessRuleProtection(True, True)
In the above example, SetAccessRuleProtection becomes more useful by adding more control over the existing permissions in an ACL.
Footnote
Actually, the (True, True) example given at the beginning of this answer could be useful with brand new folders if you were looking to break inheritance of the default permissions for further children of the daughter folder but preserve them for the daughter folder.
Admin
Updated on June 04, 2022Comments
-
Admin about 2 years
I having issues understanding exactly what the SetAccessRuleProtection property does in PowerShell.
If we take a look at Microsoft's documentation here.
Sets or removes protection of the access rules associated with this ObjectSecurity object. Protected access rules cannot be modified by parent objects through inheritance.
isProtected
Type: System.Boolean
true to protect the access rules associated with this ObjectSecurity object from inheritance; false to allow inheritance.
preserveInheritance
Type: System.Boolean
true to preserve inherited access rules; false to remove inherited access rules. This parameter is ignored if isProtected is false.
OK, it sort of explains itself but it doesn't always work. Take some simple code like this:
$fpath = "\\server\grandfather\parent" New-Item -ItemType directory -Path $fpath $acl = Get-Acl $fpath $acl.SetAccessRuleProtection($False,$True) Set-Acl $fpath $acl | Out-NullAccording to the documentation, this would mean that "\\server\grandfather\parent" inherits EVERYTHING from its parent which would be "grandfather" in this case because the "isProtected" parameter is set to false which allows inheritance. Furthermore, Since preserveInheritance is set to true, it KEEPS the inheritance rules it got from "grandfather".
Lets go down some more the code:
$fpath = "\\server\grandfather\parent" New-Item -ItemType directory -Path $fpath $acl = Get-Acl $fpath $acl.SetAccessRuleProtection($False,$True) Set-Acl $fpath $acl | Out-Null $spath = "\\server\grandfather\parent\son" New-Item -ItemType directory -Path $spath $acl = Get-Acl $spath $acl.SetAccessRuleProtection($True,$False) Set-Acl $spath $acl | Out-NullIn this case, "\\server\grandfather\parent\son" inherits NOTHING because it is protected from inheritance. In case it does (which would be impossible but), it REMOVES all its inherited properties. This would make the folder basically inaccessible except the by owner.
Is this correct? Could you give some more examples with this using
$acl.SetAccessRuleProtection($True,$True) $acl.SetAccessRuleProtection($False,$False) $acl.SetAccessRuleProtection($True,$False) $acl.SetAccessRuleProtection($False,$True)