Clever Geek Handbook

Explain to beginners the "SetAccessRuleProtection" ACL object property in PowerShell with examples

I am having trouble understanding what the SetAccessRuleProtection property does in PowerShell.

If we look at Microsoft's documentation here .

Sets or removes the security of the access rules associated with this ObjectSecurity object. Protected access rules cannot be changed by parent objects through inheritance.

isProtected

Type: System.Boolean

true to protect the access rules associated with this ObjectSecurity object from inheritance; false to allow inheritance.

preserveInheritance

Type: System.Boolean

true to preserve inherited access rules; false to remove inherited access rules. This parameter is ignored if isProtected is false.

OK, this explains it myself, but it doesn't always work. Take some simple code:

$fpath = "\\server\grandfather\parent"
New-Item -ItemType directory -Path $fpath
$acl = Get-Acl $fpath
$acl.SetAccessRuleProtection($False,$True)
Set-Acl $fpath $acl | Out-Null

According to the documentation, this would mean that "\ server \ grandfather \ parent" inherits EVERYTHING from its parent, which would be the "grandfather" in this case, because the "isProtected" parameter is set to false which allows inheritance. Also, because the preserveIngeritance parameter is set to true, it encodes the inheritance rules from the grandfather.

Let's go down the code again:

$fpath = "\\server\grandfather\parent"
New-Item -ItemType directory -Path $fpath
$acl = Get-Acl $fpath
$acl.SetAccessRuleProtection($False,$True)
Set-Acl $fpath $acl | Out-Null
$spath = "\\server\grandfather\parent\son"
New-Item -ItemType directory -Path $spath
$acl = Get-Acl $spath
$acl.SetAccessRuleProtection($True,$False)
Set-Acl $spath $acl | Out-Null

In this case, "\ server \ grandfather \ parent \ son" inherits NOTHING because it is protected from inheritance. In case it does (which would be impossible, but), it REMOVES all of its inherited properties. This would make the folder virtually inaccessible other than the owner.

It is right? Could you please give some more examples with

$acl.SetAccessRuleProtection($True,$True)
$acl.SetAccessRuleProtection($False,$False)
$acl.SetAccessRuleProtection($True,$False)
$acl.SetAccessRuleProtection($False,$True)
+3


source to share


1 answer


Examples of

There are actually only 3 scenarios:

$acl.SetAccessRuleProtection($True, $True)
$acl.SetAccessRuleProtection($True, $False)
$acl.SetAccessRuleProtection($False, X) -- preserveInheritance is ignored when isProtected is false

So, your first example is described, except for your "Next ..." part. preserveInheritance plays no role in this example.

The second example is correct, everything is deleted and only the owner will have access.

As per your previous examples, the example script (True, True) would be

$fpath = "\\server\grandfather\parent"
New-Item -ItemType directory -Path $fpath
$acl = Get-Acl $fpath
$acl.SetAccessRuleProtection($False, $True)
Set-Acl $fpath $acl | Out-Null
$spath = "\\server\grandfather\parent\son"
New-Item -ItemType directory -Path $spath
$acl = Get-Acl $spath
$acl.SetAccessRuleProtection($True, $False)
Set-Acl $spath $acl | Out-Null
$dpath = "\\server\grandfather\parent\daughter"
New-Item -ItemType directory -Path $spath
$acl = Get-Acl $spath
$acl.SetAccessRuleProtection($True, $True)
Set-Acl $spath $acl | Out-Null

This will cause the child folder to have the same rights as the parent, but crucially, they will not be marked as inherited. They will be marked as permissions explicitly in the child folder.



Why don't examples fit?

The examples above are completely new folders with nothing but default permissions. In addition, since default permissions are automatically inherited, all child folders will already have the same permission sets. Using Set-Acl and SetAccessRuleProtection in this scenario, without changing the acl, is really not very much.

A typical use for SetAccessRuleProtection is to control what happens to existing AccessRules when an ACL changes. those. adding a new user to the ACL with edit permissions. Do you want to

  • Add new user and keep all current permissions: SetAccessRuleProtection(False, X)

  • Add a new user and remove all inherited permissions: SetAccessRuleProtection(True, False)

  • Add a new user and convert all inherited permissions to explicit permissions: SetAccessRuleProtection(True, True)

In the above example, SetAccessRuleProtection becomes more useful by adding more control over existing permissions to the ACL.

Footnote

Actually, the (True, True) example given at the beginning of this answer might be useful in new folders if you want to break the inheritance of default permissions for further child child folders, but keep them for the daughter folder.

+3


source






More articles:


All Articles