Manage NTFS Permission Inheritance

by Jun 9, 2015

By default, folders and files inherit permissions from their parents. To stop inheritance and make sure only the explicitly assigned permissions are valid, do two things: add the explicit permissions you need, and disable inheritance.

This example creates a new folder called "PermissionNoInheritance", then grants the current user read permissions, and administrators get full rights. Inheritance is disabled.

# create folder
$Path = 'c:\PermissionNoInheritance'
$null = New-Item -Path $Path -ItemType Directory -ErrorAction SilentlyContinue

# get current permissions
$acl = Get-Acl -Path $path

# add a new permission for current user
$permission = $env:username, 'Read,Modify', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)

# add a new permission for Administrators
$permission = 'Administrators', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)

# disable inheritance
$acl.SetAccessRuleProtection($true, $false)

# set new permissions
$acl | Set-Acl -Path $path

Twitter This Tip! ReTweet this Tip!