How to grant directory permissions in a Powershell script

Question

I click the right mouse button on my site in the IIS manager and choose 'Edit permissions' and then I click the security tab. There I have the user IUSR with the following permissions: Read & execute, List folder contents, Read. I can also verify this in Powershell using the command Get-Acl <path> |fl , which displays:

Access : NT AUTHORITY\IUSR Allow ReadAndExecute, Synchronize

Now I delete the ACL entry for IUSR completely. I want to set it with a Powershell script, using the following lines:

---

$path=<path to directory>
$acl = Get-Acl "$path"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\IUSR","ReadAndExecute","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl "$path"

---

Again verifying with Get-Acl <path> |fl , I shows exactly the same information, as expected. But in the IIS manager, the previously checked rights are not set. Instead 'Special permissions' is checked. When I click on 'Advanced' and pick IUSR from the list, it shows the same permissions have been granted: Read & execute, List folder contents, Read

But my website does not work (the browser throws error: HTTP-Errror 401.3 - Unauthorized). It works only if I grant these permissions in the permissions windows manually. How can I set the required permissions correctly in a Powershell script?

Answer 1

Turning my comment into an answer, this sounds like you need to also specify the Inheritance and Propagation flags for the accessrule, so child objects of the folder inherit the permission.

$AccessRule = [System.Security.AccessControl.FileSystemAccessRule]::new("NT AUTHORITY\IUSR", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")