Setting InheritanceFlags vs PropagationFlags in Powershell

问题

I'm trying to find the right combination of the InheritanceFlags and PropagationFlags so that my new folder will not inherit the folder's permissions before it, but will propagate the rights to the folders/files contained in the new folder... I tried swapping the two from what I have below, but that only gave the new folder the same permissions as the one above it and didn't apply my new groups...

How do I set the flags correctly to only apply the permissions to all files/folders below this folder and not pull from the parent folder?

I found this table, but it doesn't seem to do what I'm wanting...

function New-Ace {
  [CmdletBinding()]
  Param(
    [Parameter(Mandatory=$true, Position=0)]
    [Security.Principal.NTAccount]$Account,
    [Parameter(Mandatory=$false, Position=1)]
    [Security.AccessControl.FileSystemRights]$Permissions = 'ReadAndExecute',
    [Parameter(Mandatory=$false, Position=2)]
    [Security.AccessControl.InheritanceFlags]$InheritanceFlags = 'ContainerInherit,ObjectInherit',
    [Parameter(Mandatory=$false, Position=3)]
    [Security.AccessControl.PropagationFlags]$PropagationFlags = 'None',
    [Parameter(Mandatory=$false, Position=4)]
    [Security.AccessControl.AccessControlType]$Type = 'Allow'
  )

  New-Object Security.AccessControl.FileSystemAccessRule(
    $Account, $Permissions, $InheritanceFlags, $PropagationFlags, $Type
  )
}

$domain = 'TestDomain'

$administrators = ([wmi]"Win32_Sid.Sid='S-1-5-32-544'").AccountName

$acl = Get-Acl $path

$administrators, "$domain\Domain Admins" | ForEach-Object {
  $acl.AddAccessRule((New-Ace $_ 'FullControl'))
}
$acl.AddAccessRule((New-Ace $ADNameRW 'Modify'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute'))

Set-Acl $path $acl

回答1:

Calling $acl.SetAccessRuleProtection($true, $false) should prevent that directory or file from inheriting permissions from its parent directory, with the second parameter specifying that the previously-inherited permissions should be removed. Enabling protection = disabling inheritance.

In your New-Ace function, InheritanceFlags specifies to which type of child object (files, directories, or both) the permissions can apply, and PropagationFlags controls whether the permissions apply to this object and/or only immediate children. Neither of these properties affects how this file or directory inherits from its parent.

By the way, PowerShell is built on .NET so the same classes, methods, etc. are available to you, and in some instances the only way to accomplish something that isn't covered by a cmdlet.

来源：https://stackoverflow.com/questions/36749719/setting-inheritanceflags-vs-propagationflags-in-powershell