1

I wish to disable ACL inheritance on a group of subfolders, while retaining existing permissions.

To this end, I'm running this snippet:

gci | % {
  $Acl = Get-Acl $_
  $Acl.SetAccessRuleProtection($true, $true)
  Set-Acl $_ $Acl
}

For each subfolder, an error occurs:

Set-Acl : Cannot set the ACL because the method that it needs to invoke, SetSecurityDescriptor, does not exist.

I found this similar question, but it's not quite an exact duplicate. OP intends to clear all permissions; I would like to retain them.

Also: OP states "I got rid of the error message," but doesn't reveal how he managed to do so

How can I use PowerShell to accomplish this?

InteXX
  • 6,135
  • 6
  • 43
  • 80

2 Answers2

1

There are a number of problems with Set-Acl. I typically try to rely on .NET for ACL work:

try {
    $FileSystemObject = (Get-Item '.\accessibilitycpl.dll')
    $Acl = $FileSystemObject.GetAccessControl()
    $Acl.SetAccessRuleProtection($true,$false)
    $FileSystemObject.SetAccessControl($Acl)
} catch {
    ## Catch exceptions!
}
InteXX
  • 6,135
  • 6
  • 43
  • 80
thepip3r
  • 2,855
  • 6
  • 32
  • 38
  • That worked, thank you. FYI I changed the second argument to `$true` to copy existing permissions. – InteXX Mar 06 '20 at 17:32
  • Yeah I think I copied Shamus's Code instead of yours as a skeleton to modify -- sorry about that. – thepip3r Mar 06 '20 at 17:41
0

This should work for you:

Get-ChildItem | ForEach-Object {
    $Acl = Get-Acl $_
    $Acl.SetAccessRuleProtection($true,$false) #Set folder inheritance to off
    Set-Acl $_ -AclObject $Acl    
}
Shamus Berube
  • 466
  • 3
  • 12
  • I see that you're correctly naming the `-AclObject` parameter. Good catch. However, the same error occurs. Note that I wish to copy the inherited permissions, so the method call would be `$Acl.SetAccessRuleProtection($true,$true)` instead. – InteXX Mar 06 '20 at 17:26