I have a PowerShell script to create a directory (if it doesn’t already exist), and then make sure that only SYSTEM and local admin accounts have access:
#Create directory if it does not already exist
$path = "C:MyDirectory"
[System.IO.Directory]::CreateDirectory($path)
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($true,$false)
$System = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($System)
$Admins = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTINAdministrators","FullControl","Allow")
$acl.SetAccessRule($Admins)
$rules = $acl.access | Where-Object {
(-not $_.IsInherited) -and
$_.IdentityReference -like "AD*"
}
ForEach($rule in $rules) {
$acl.RemoveAccessRule($rule) | Out-Null
}
$acl | Set-Acl $path
At the end, I remove rights granted to any domain user that may have been granted access previously. This works fine for the parent level C:MyDirectory
but all child objects (subfolders and files) don’t receive any permissions:
I don’t want C:MyDirectory
to inherit permissions from C:
, but I do want subfolders and subfiles of C:MyDirectory
to inherit from C:MyDirectory
.
What can I do to achieve this?