Add AD Group to Shares That Have Inheritance Disabled


I need to add a group to all shares/folders where inheritance is disabled.

First, find folders with no inheritance:

# Start of code flag directories where inheritance is disabled

$folders = gci -recurse \\myNAS\myTopShare
foreach ($path in $folders) {
  if ($path.PSIsContainer -eq $false)   {
  if ((get-acl $path.fullname).AreAccessRulesProtected -eq $true) {

# End of code flag directories where inheritance is disabled

Above code seems to be working. For example, it returns the following where Sub2 indeed has inheritance disabled.


Note that there are additional folders below Sub2 that inherit settings from Sub2.

Next step is to add the AD group to Sub2:

# Start of code add group to group

$path = "\\myNAS\myTopShare\Sub1\Sub2"
$group = "Sample AD Group"
$acl = Get-Acl -Path $path
$grp = New-Object System.Security.AccessControl.FileSystemAccessRule($group,"FullControl,Modify","Allow")
$acl | Set-Acl $path

# End of code add group to share

However, the added group ends up with “Special Permissions” where security is applied as “This folder only”.

I would like to add the group where security applies to “This folder, subfolder and files”.

Any suggestions greatly appreciated.

Hi Palmero,

When you pass in the rule, you need to define how it apples, you can see examples of this in:

Thanks for the suggestion. The following code does what I want.

$path  = 'myNAS\myFolder'
$group = 'myAdmin Group'
$perm  = $group, 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule  = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm 
$acl | Set-Acl $path

But, subfolders of myFolder that have inheritance enabled are not picking up the added “myAdmin Group”. I need to figure out a way to force downstream replication after I’ve added the group.

Thank you.