Setting ACL's on Top Three Level Folders


I am new to the forum and Powershell as well. Longtime Windows admin but slowly getting deeper into doing more with Powershell and hoping to get some pointers on how to accomplish more with Powershell.

Currently I am trying to create a script that will set the ACL permissions on the top three levels of a project directory every time we create a new project. I was able to figure out how to select the top three directories in a project by using the Get-Child -Recurse -Depth 3 command. I also think I have the correct routine for applying multiple ACL’s to a folder but I am looking to figure out how to bring them together.

Here is what I have written so far:

Get-ChildItem -Path C:\Data\Projects\PRJ01 -Recurse -Depth 3
$ProjectFolders = ?
foreach ($ProjectFolder in $ProjectFolders) {
    $acl = Get-Acl $ProjectFolder
    $acl.SetAccessRuleProtection($True, $False)
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Executive”,”FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Staff”,”Read”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
    Set-Acl F:Folder $acl

The -Depth parameter in PS5 is really useful here. Any comments or criticisms are welcome!

It depends if you want the script to be authoritative or cloning one of your already configured folders is also good enough.
Then you could just clone the ACL from there to your new folders like this:

$ProjectFolders = Get-ChildItem -Path C:\Data\Projects\PRJ01 -Recurse -Depth 3 -Directory
Get-Acl -Path 'path to ACL Source Folder'|Set-Acl $ProjectFolders.fullname

I added the -directory parameter so you only get folders and not files as always please test the code first.
If you want more information what your options are then I recommend this video: - YouTube
If the script needs to be authoritative I think you have to adjust the script because I don’t think your code is working now.
Maybe for your scenario DSC is something you should look into as well.

Hello Daan,

Thanks so much for your suggestion on this. I really like the idea of keeping a template that we can adjust and then apply those settings to the project folders. I set up a test using the code you suggested and it was successful in setting the ACL’s on the top three folders but it applied the same ACL to all the folders underneath of the top 3 as well. In the Template folder I am giving STAFF read and execute permissions and EXECUTIVE read and write permissions, at the 4th level both STAFF and EXECUTIVE should have read and write. In the test the 4th level folder of the folder getting the ACL’s was set using the same ACL as the above folders and not what was set in the Template.

Is there a way I can have the destination folders mimic exactly the permissions we set in the Template folder?

Thanks again!


Hi Jason,

I guess that’s because of inheritance.
I set up a example script but since I don’t know your exact folder structure you should be exploring your possibility’s a little bit but I think this is a good starting point.

#get Template folders
$ProjectFoldersTopThreeTemplate = Get-ChildItem -Path E:\Foldertest -Directory
$ProjectFoldersRestTemplate = Get-ChildItem -Path E:\Foldertest\Child1\Child2\Child3

#get folders to set ACL
$ProjectFoldersTopThree = Get-ChildItem -Path E:\Test -Directory
$ProjectFoldersRest = Get-ChildItem -Path E:\Folder3\c1\c2\c3

#get ACL Templates
$ACLTopThree = $ProjectFoldersTopThreeTemplate|get-acl
$ACLRest =$ProjectFoldersRestTemplate|get-acl

#Take away inheritance for rest folders
$acl = $ProjectFoldersRest|get-acl
$ACL | Set-Acl

#set Permissions first three
Get-Acl -Path $ProjectFoldersTopThreeTemplate.FullName|Set-Acl $ProjectFoldersTopThree.FullName

#set permissions rest
Get-Acl -Path $ProjectFoldersRestTemplate.FullName|Set-Acl $ProjectFoldersRest.FullName