NTFS permissions can be either explicit or inherited. Explicit permissions are permissions that are configured individually, while inherited permissions are inherited from the parent folder.
The hierarchy for permissions is as follows:
- Explicit Deny
- Explicit Allow
- Inherited Deny
- Inherited Allow
Managing Inheritance
To manage inheritance, we use the SetAccessRuleProtection method. It has two parameters:
- The first parameter is responsible for blocking inheritance from the parent folder. It has two states: “$true” and “$false”.
- The second parameter determines whether to preserve inherited permissions.
Disabling Inheritance
Let’s disable inheritance for the “Sales” folder and delete all inherited permissions as well:
$acl = Get-Acl \\fs1\shared\sales
$acl.SetAccessRuleProtection($true, $false)
$acl | Set-Acl \\fs1\shared\sales
All inherited permissions were removed; only access permissions added explicitly are left.
Re-enabling Inheritance
Let’s revert this change and re-enable inheritance for the “Sales” folder:
$acl = Get-Acl \\fs1\shared\sales
$acl.SetAccessRuleProtection($false, $true)
$acl | Set-Acl \\fs1\shared\sales