Replace child object permissions on existing folders/subfolders/files

Hi all,

I’ve created a new folder structure for a customer of mine, however due to the customer forcing to go to production instead of test there were some small issues concerning permissions on certain sub-folders.
The problem is that we’re talking about approximately 50.000 folders on which a subset needs to set the option “Replace all child object permission entries with inheritable permission entries from this object”.

So for example I have D:\Data\DepartmentA\ProjectA\Subfolder1
This file has custom permissions all set on it and newly created files within this folder and its sub-folder will get the correct permissions.
However some copied files [before the permissions were re-set using Set-ACL] still have different permissions, allowing only the person who copied these files access to them.
Is there any way using PowerShell I can simply ONLY set the option to “Replace all child object permission entries with inheritable permission entries from this object” WITHOUT having to re-define all the custom permissions on that folder?

I’ve been going through a bunch of articles found through Google, but all of them seem to create a New-Object in which I need to define my full permission set again, which would just be an enormous pain to do.
Here are some of the resources already used:

If I do it manually, simply ticking the box under Advanced Security settings is sufficient to resolve the issue, but of course I would like to automate the process due to the sheer number of folders affected.

Does anyone have any tips on how I can get this resolved?

Thanks
Robert

I made this a while back maybe it will be useful. But in my findings the PowerShell way of setting folder and file permissions is not very great. I have other scripts that just use PowerShell to do the recursion and pipe the information to icacls.exe to change the permissions.

But to reset inheritance PowerShell does the job pretty good.

-VERN

Hey Vern,

Thanks for the quick reply.
The problem however isn’t with the Enable/Disable enheritance from parent folder as described [I’ve used that when creating the folders myself], but the tick box below [when looking at the security settings for the folder] which is called:
Replace all child object permission entries with inheritable permission entries from this object

This basically forces every file and folder below D:\Data\DepartmentA\ProjectA\Subfolder1 to get the same permissions that Subfolder1 has.
Unfortunately this is the bit I can define when completely re-doing the permissions using any one of the examples as I’ve provided above, however I would prefer to only set that tick box option through PowerShell instead of re-doing the permissions as well.

Kind regards
Robert

Update:

I think I have found the solution.
While not completely using PowerShell, it seems to be the quickest solution.

Tipped by Vern’s post above and searching, I found this article which does what I required.
Combined with my previous scripts, I’ve come to the following solution:

$ACL = Get-Acl -Path C:\Customer\Projects\permissions\Template
$Folders = Get-ChildItem -Recurse -Path "D:\Data\Projects" -Filter 'Subfolder*' | Select-Object -ExpandProperty FullName
foreach ($Folder in $Folders) {
   # write the variables found - check if the folder path is correct
   # Write-Output "This foldername is $Folder"
   # convert foldername to a icacls approved path
   $icacls = "$Folder\*"
   # check if the icacls path is correct
   # Write-Output "icacls path is $icacls"
   #set the ACL required on the folder
   Set-ACL -Path $Folder -AclObject $ACL
   # replace all child permissions for the folder
   icacls $icacls /q /c /t /reset
}

I’ve tested this on several test folders and they all obtain the permissions I’ve set on my Template folder.
Thanks for the push in the right direction, I hope this also helps others!

Kind regards
Robert

Glad to hear it Robert!

icacls is still very powerful and the PowerShell method requires first having a “good file” to grab ACLs from in order to set ACLs and that needs work in my opinion.

However there’s no shame in the hybrid approach. =)

-VERN