powershell ACLs Apply to this folder only

Question

When setting security descriptors, various resources provide the combination of PropagationFlags and InheritanceFlags to get the desired Apply to. Unfortunately documentation on these is sparse and clear explanation what these flags mean is even sparser. Yet, when I use the combination from those sources, I do not get the desired results. Specifically, to achieve Apply to = this folder only, both flags should be None, but when I do this, the result is Apply to this folder, subfolders and files. The combination that works though is PropagationFlags="InheritOnly" and InheritanceFlags="None". I am using powershell to set ACL. Can someone comment on why is everybody claiming that they both should be none to get This folder while it apparently does not work?

Answer 1

The flags are documented on MSDN: PropagationFlags, InheritanceFlags and the combination ACL Propagation Rules. When in doubt I usually create the access rule manually with GUI and see what it looks like using (Get-ACL c:\path).Access.

To create a "this folder only"-permission you need to set both inheritance and propagation to "None". Ex:

$acl = Get-Acl .\test
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule "BUILTIN\Users","ReadAndExecute", "None", "None","Allow"
$acl.AddAccessRule($rule)
Set-Acl -Path .\test -AclObject $acl

Be aware that AddAccessRule will ignore the change if there already is a less resitricted rule for the BUILTIN\Users. You would need to use something like $acl.ModifyAccessRule("Set",$rule,[ref]$null) to modify an exisiting one.