3.9 Enabling and Disabling Permissions Inheritance

NTFS permissions can be either explicit or inherited. Explicit permissions are manually configured, while inherited permissions are passed down from the parent folder. The hierarchy for permissions is as follows:

• Explicit Deny
• Explicit Allow
• Inherited Deny
• Inherited Allow

To manage inheritance, we use the SetAccessRuleProtection method. This method has two parameters:

1. The first parameter controls whether inheritance from the parent folder is blocked. It can be set to $true or $false.
2. The second parameter determines whether the current inherited permissions should be retained or removed. It can also be set to $true or $false.

Disabling Inheritance and Removing Inherited Permissions

To disable inheritance for the “Sales” folder and delete all inherited permissions, run the following commands:

# Get the current ACL (Access Control List) for the folder
$acl = Get-Acl \\fs1\shared\sales

# Disable inheritance and remove inherited permissions
$acl.SetAccessRuleProtection($true, $false)

# Apply the updated ACL to the folder
$acl | Set-Acl \\fs1\shared\sales

After running these commands, all inherited permissions will be removed, and only explicitly configured permissions will remain.

Re-enabling Inheritance

To revert this change and re-enable inheritance for the “Sales” folder, use the following commands:

# Get the current ACL for the folder
$acl = Get-Acl \\fs1\shared\sales

# Re-enable inheritance and retain the current inherited permissions
$acl.SetAccessRuleProtection($false, $true)

# Apply the updated ACL to the folder
$acl | Set-Acl \\fs1\shared\sales

Important Notes

• $true for the first parameter blocks inheritance, while $false allows it.
• $true for the second parameter keeps current inherited permissions, while $false removes them.
• Disabling inheritance removes all inherited permissions, leaving only explicit ones in place.