Add AD Group to Shares That Have Inheritance Disabled

palmero · March 1, 2023, 4:38pm

Hello.

I need to add a group to all shares/folders where inheritance is disabled.

First, find folders with no inheritance:

# Start of code flag directories where inheritance is disabled

$folders = gci -recurse \\myNAS\myTopShare
foreach ($path in $folders) {
  if ($path.PSIsContainer -eq $false)   {
    continue
  }
  if ((get-acl $path.fullname).AreAccessRulesProtected -eq $true) {
    $path.fullname
  }
}

# End of code flag directories where inheritance is disabled

Above code seems to be working. For example, it returns the following where Sub2 indeed has inheritance disabled.

\\myNAS\myTopShare\Sub1\Sub2

Note that there are additional folders below Sub2 that inherit settings from Sub2.

Next step is to add the AD group to Sub2:

# Start of code add group to group

$path = "\\myNAS\myTopShare\Sub1\Sub2"
$group = "Sample AD Group"
$acl = Get-Acl -Path $path
$grp = New-Object System.Security.AccessControl.FileSystemAccessRule($group,"FullControl,Modify","Allow")
$acl.SetAccessRule($grp)
$acl | Set-Acl $path

# End of code add group to share

However, the added group ends up with “Special Permissions” where security is applied as “This folder only”.

I would like to add the group where security applies to “This folder, subfolder and files”.

Any suggestions greatly appreciated.

alex-innes · March 2, 2023, 1:12pm

Hi Palmero,

When you pass in the rule, you need to define how it apples, you can see examples of this in:
https://ss64.com/ps/set-acl.html

palmero · March 3, 2023, 3:19pm

Thanks for the suggestion. The following code does what I want.

$path  = 'myNAS\myFolder'
$group = 'myAdmin Group'
$perm  = $group, 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule  = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm 
$acl.SetAccessRule($rule)
$acl | Set-Acl $path

But, subfolders of myFolder that have inheritance enabled are not picking up the added “myAdmin Group”. I need to figure out a way to force downstream replication after I’ve added the group.

Thank you.

Topic		Replies	Views
Powershell to add group permissions to folder, shows as SID PowerShell Help	0	133	December 31, 2011
Inventory OUs with ACL (Disable Inheritance) PowerShell Help	5	254	December 10, 2020
List folder access, AD groups and AD members PowerShell Help	4	246	June 29, 2018
Get User ACL inheritance settings (SDHolder) PowerShell Help	3	335	December 22, 2020
AD Command help PowerShell Help	6	84	June 17, 2016

Add AD Group to Shares That Have Inheritance Disabled

Related Topics