NTFS Permissions on Non-Inherited folders

Hi All, Hoping to get some help with this as im not sure if its even possible.

Im trying to add one security group as read only to 1000’s of folders that have existing NTFS permission.

The problem i have is propagating the new group onto folders that do not have inheritance enabled. Is there a way to perform this without have to change inheritance to allow first?

Thanks in advance. Copy of the script I’m using below:

(#Office variables
$dir = 'C:\test'
#End

#Office retrieve current ACLs
(get-Acl $dir).Access | Format-Table

#Create the ACE
$identity = 'domain\ReadOnly'
$rights = 'Read'
$inheritance = 'ContainerInherit'  #ObjectInherit
$propogation = 'None'
$type = 'Allow'
$ACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity,$rights,$inheritance,$propogation,$type)

#Add ACE to ACL
$ACL = Get-Acl $dir
$ACL.AddAccessRule($ACE)

#Set ACL
Set-Acl $dir -Aclobject $Acl

#Verify
(get-Acl $dir).Access | Format-Table
#End)

Many Thanks

Hi, welcome to the forum :wave:

I think your best bet will be to audit the folders that don’t have inherit enabled and then apply the permissions to that list of folders. You can audit those folders with this command:

Get-ChildItem $dir -Recurse -Directory | Where {(Get-ACL $_.FullName).AreAccessRulesProtected -eq $true}

Hi Matt, Thanks for the response. Ive been auditing the folders using treesize and then apply the script directly to the folders in that have inheritance blocked as a workaround, but this is taking alot of time. Using your script, Im now able to create a txt file that list all the folders that have inheritance blocked, so thank you for that.

#Office variables
$dir = ‘c:\test’
#End
Get-ChildItem $dir -Recurse -Directory | Where {(Get-ACL $_.FullName).AreAccessRulesProtected -eq $true} | Group-Object “FullName” | Select-Object “Name” | Out-File c:\temp\Dirlist.txt”

output shows:

Name

C:\test\Folder1\Inherit Blocked
C:\test\Folder3\blocked1

If i can now tell the original script to target these paths, then its job done. Hoping this is possible?

Thanks again for you help.

Regards

Yes, absolutely. You just need to loop over the folders:

foreach ($dir in (Get-Content E:\Temp\Files\DirList.txt)) {

    #Office retrieve current ACLs
    (get-Acl $dir).Access | Format-Table

    #Create the ACE
    $identity = 'domain\ReadOnly'
    $rights = 'Read'
    $inheritance = 'ContainerInherit'  #ObjectInherit
    $propogation = 'None'
    $type = 'Allow'

    $ACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity,$rights,$inheritance,$propogation,$type)

    #Add ACE to ACL
    $ACL = Get-Acl $dir
    $ACL.AddAccessRule($ACE)

    #Set ACL
    Set-Acl $dir -Aclobject $Acl

    #Verify
    (get-Acl $dir).Access | Format-Table

    #End

}

Hey Matt, worked like a charm and beers on me.
Really appreciate the help. Thanks

You’re welcome, I’m glad it worked! :beers: