My experience shows you have to use the right set of parameters for FileSystemAccessRule. Another thing to be aware of is if you are creating the account in the same script you may have to delay it, or get the GUID of the account at creation (PassThru) and apply with that.
The particular constructor I’ve had to follow is this one :
FileSystemAccessRule Constructor (IdentityReference,FileSystemRights,InheritanceFlags,PropagationFlags,AccessControlType)
Details : https://msdn.microsoft.com/en-us/library/ms147785(v=vs.110).aspx
Here are some snippets of the script I created at work that is used to make new shared folders.
$Internal_ACL = Get-Acl -Path $Internal
#region Disable Inheritance, remove previous ACLs
$Internal_ACL.SetAccessRuleProtection($true, $false) | Out-Null
$Internal_ACL.Access | ForEach-Object { $Internal_ACL.RemoveAccessRule($_) | Out-Null }
#endregion Disable Inheritance, remove previous ACLs
#region Create ACLs
# Domain Admins
$Rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule("Domain Admins", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$Internal_ACL.AddAccessRule($Rule) | Out-Null
# Group rights
$Rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule($Department.Group, "DeleteSubdirectoriesAndFiles, Modify", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow")
$Internal_ACL.AddAccessRule($Rule) | Out-Null
$Rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule($Department.Group, "DeleteSubdirectoriesAndFiles, Write, ReadAndExecute", "None", "None", "Allow")
$Internal_ACL.AddAccessRule($Rule) | Out-Null
# Internal Group rights
$Rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule($Department.GroupInR, "ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
$Internal_ACL.AddAccessRule($Rule) | Out-Null
#endregion Create ACLs
#region Set ACLs
Set-Acl -Path $Internal -AclObject $Internal_ACL -ErrorVariable ACLError -ErrorAction 'SilentlyContinue' | Out-Null
if ($ACLError)
{
Write-Output -InputObject "An error was caught attempting to apply security rights, `n`tyou may have to take ownership of the `'$ParentPath\$Internal`' folder"
Write-Verbose -Message "$ACLError"
$ACLError = $false
} # if ACLError
#endregion Set ACLs