Solved

# Add "Include inheritable permissions from this object's parent" to subfolders

Posted on 2010-09-10
10,069 Views
I have deep folder structure and there is random folders where inheritable permissions are unchecked. I would like to automatically add "Include inheritable permissions from this object's parent" to all subfolders (and subfolders' subfolders...). I think that I could handle this with powershell but I havent found a way to do this. Does anyone have idea how to handle this?

0
Question by:thaapavuori
• 21
• 13
• 6

LVL 12

Expert Comment

ID: 33652732
I couldn't find any powershell but did find this VBS script.

http://www.jdhitsolutions.com/resources/scripts/resetinheritance.txt

0

Author Comment

ID: 33652794
Hi,

Thanks. I tried that in my test environment. I think that I didnt maybe understand the syntax. I tried these combinations but I didnt success. Basically just nothing happen...? Some idea? Still PowerShell would be more useable but vbs is also enough if I get it to work.

Thanks :)

C:\poista>cscript inherit.vbs c:\temp noinherit ON
Microsoft (R) Windows Script Host Version 5.8

Resetting inheritance on c:\\temp to 37892

Microsoft (R) Windows Script Host Version 5.8

Resetting inheritance on c:\\temp\\aditro to 37892

Microsoft (R) Windows Script Host Version 5.8

Resetting inheritance on c:\\temp\\aditro to 37892
0

LVL 12

Expert Comment

ID: 33653064
I think you need "inherit" not "noinherit". Still look for powershell.
0

LVL 12

Expert Comment

ID: 33653293
You might want to download Power Gui which will help you script things. The attached script will reset inheritance on the "c:\acltest" folder. Do you need code to wlak the tree?

Details of the properties of the ACL are here

http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity_members(v=VS.80).aspx

$acl = Get-Acl "c:\acltst"$acl.areaccessrulesprotected
$acl.SetAccessRuleProtection($false, $true); set-acl -aclobject$acl "c:\acltst"

0

Author Comment

ID: 33657334
Hi,

This VBS script worked but only for that folder which I specified (e.g. c:\temp) but not for subfolders. I would like to reset this inherit to all of my subfolders.

I tried this  powershell which you gave me. I got following error:

C:\Windows\system32>powershell
Windows PowerShell

PS C:\Windows\system32> $acl = Get-Acl "c:\temp" PS C:\Windows\system32>$acl.areaccessrulesprotected
False
PS C:\Windows\system32> $acl.SetAccessRuleProtection($false, $true); PS C:\Windows\system32> set-acl -aclobject$acl "c:\temp"
Set-Acl : The security identifier is not allowed to be the owner of this object.
At line:1 char:8
+ set-acl <<<<  -aclobject $acl "c:\temp" + CategoryInfo : InvalidOperation: (C:\temp:String) [Set-Acl], InvalidOperationException + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand Thanks again :) 0 LVL 12 Expert Comment ID: 33657989 Well it works for me!. Two thoughts, that folder already has inheritance set. so that might be the issue. Can you clear inheritance and try again? 0 Author Comment ID: 33660258 You were right. It worked when I spesified a folder where inheritance was not checked. But this doesnt help me in my problem. Becouse I have a folder (e.g. c:\temp) and there is number of subfolders and subfolders' subfolders. I would like to set inheritance on for all of these folders. Already now most of the folder has this inheritance on but there is random folders where it's not. 0 LVL 12 Expert Comment ID: 33661196 Sorry, I might be a VB veteran, but powershell takes me much more time, but I need to learn so thanks for providing practical oppertunities. I am a bit suprised some one with more experience hasn't bobbed in and sorted this. However working with ACLs in powershell & .net does seem simpler than VBScript. The problem is there is so much to learn. Any way the code below should walk the tree and sets inherited permissions on. Note it doesn't remove any existing permissions. These will remain in addition to the inherited rights. If you have any DENY ACLs explicitley defined these will remain in place and may over ride any ALLOW acls inherited from above. I did a brief test but suggest you do some thourough tests before unleashing it on the world. Get-childitem -recurse p:\test | foreach-object {$acl = Get-Acl $_.FullName if ($acl.areaccessrulesprotected){
$acl.SetAccessRuleProtection($false, $true); set-acl -aclobject$acl $_.FullName$_.FullName
}
}

0

Author Comment

ID: 33661757
Hi,

Thanks again. However there is still something that doesnt work. Only thing that I did I changed p:\test to c:\temp.

Here is that output which I got:

Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
At C:\poista\joo.ps1:7 char:10
+         set-acl <<<<  -aclobject $acl$_.FullName
+ CategoryInfo          : PermissionDenied: (C:\temp\SCX-4725:String) [Set-Acl], PrivilegeNotHeldException
+ FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

Then I tried also some other folder. If all folders have inheritance set ON I got no errors (and nothing happen neather). If I some subfolder has not inheritance ON I get that same error message... So there is still some issue.

Im not a guy how has a lot of knowledge about programming so that's why I appreciate your help a lot.

timo
0

LVL 70

Expert Comment

ID: 33671192

If you don't have permission over the folders you won't be able to change the setting. You would have to investigate problematic folders manually.

Chris
0

Author Comment

ID: 33671211
I have rights over the folders. Problem is that some other users dont have permissions and I should give it to them...
0

LVL 70

Expert Comment

ID: 33671221

If you're getting the error above then the account you're using to make the change does not have sufficient access to make the changes.

Either that or User Account Control is getting in the way and you need to do the ol' Run As Administrator thing.

Chris
0

Author Comment

ID: 33671254
Yes I have UAC turned on and that is the problem because in my old server 2003 I gave permissions for domain admins group and now because of UAC I face problems. But I have started first cmd as administrator and and then strarted powershell... so i dont see that this would be the problem. And actually this test which I did I used my laptop and I just manually unchecked inheritance... So i dont understand how it could be permission issue.
0

LVL 12

Expert Comment

ID: 33671331
If inheritance is disabled how can you be sure you have the necessary rights? Can you use the Security, "advanced button" then "effective rights" tab to check you effective permissions on one of the folders. I expect it shows non. If does you can't reset ownership in powershell.

I always find this a problem even in the GUI. I would do a take ownership in the GUI and find even though I tick "replace owner on objects and subtrees" it doesn't....
0

LVL 70

Expert Comment

ID: 33671354

> But I have started first cmd as administrator and and then strarted powershell

Starting PS itself as Administrator is faster, but what you've done there should suffice :)

> And actually this test which I did I used my laptop and I just manually unchecked inheritance... So i dont understand how
> it could be permission issue.

The command you're running is telling you Permission Denied, you need to verify the rights held by your account.

Which version of Windows is it? If it's XP, grab these:

Then run:

whoami /priv

It should show you the state of SeSecurityPrivilege (Enabled or Disabled).

It's one of the more frustrating security levels.

Chris
0

Author Comment

ID: 33671408
Hi,

In my laptop where I have tested scripts I have Windows 7 x64 Enterprise (my goal is use that script in 2008 R2 server).

I ran this whoami /priv after I started my cmd as admin and here are results:
C:\Windows\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled

In my test in my Win7. I have c:\temp folder where I have number of subfolders. Just for testing I took one of my subfolder and took that inheritance off and clicked add to keep existing permissions. Then just for testing I deleted one user group (as authenticated users) and then I tried to use that script and I faced problems which I told you. Does it make sense?
0

LVL 70

Expert Comment

ID: 33671469

Yeah, it does indeed. It should be granting SeSecurityPrivilege via the Administrators group. This match up to rights assigned by the local system policy. I wouldn't be entirely surprised to discover that whoami isn't reporting them correctly.

We should see that if we run PS as Administrator, then run this:

New-Item "C:\Temp\Test\Other" -Type Directory -Force

Then manually untick "Inherit permissions" and finally run this:

$Acl = Get-Acl "C:\Temp\Test\Other"$Acl.SetAccessRuleProtection($False,$True)
Set-Acl "C:\temp\test\other" -AclObject $Acl It should pop the flag back on without whining at you. If it doesn't, we need to make sure that Administrators still has rights over the folder after removing inheritance. Chris 0 Author Comment ID: 33671554 This worked as it should and inheritance came back. It was like this script before$acl = Get-Acl "c:\acltst"
$acl.areaccessrulesprotected$acl.SetAccessRuleProtection($false,$true);
set-acl -aclobject $acl "c:\acltst" That one worked as well. Problem was that I would like to automatically put that inheritance back to all subfolders where that is missing... Thanks :) 0 LVL 70 Accepted Solution Chris Dent earned 500 total points ID: 33671706 The same privilege requirements apply, but lets go for a recursive example, this is pretty much identical to what you've already been given. Just a bit added to help us debug stuff. Chris # Get the directory listing Get-ChildItem "C:\Temp" -Recurse | ForEach-Object { # Get the current ACL$Acl = Get-Acl $_.FullName # If the access rules are protected inheritance is disabled If ($Acl.AreAccessRulesProtected) {

Write-Host "Enabling Inheritance: $($_.FullName)"

$Acl.SetAccessRuleProtection($False, $True) Set-Acl$_.FullName -AclObject $Acl # If that command failed If (!$?) {
Write-Host "I failed. These rights are set on $($_.FullName)"
Write-Host $Acl.AccessToString } } }  0 Author Comment ID: 33671850 Thanks. Now I tried your script and that script which I got before. This your script worked and here are the results: PS C:\poista> .\inheritance.ps1 Enabling Inheritance: C:\Temp\aditro PS C:\poista> Here that script before and I still get error. However I think that new script would be enough. PS C:\poista> .\inherit.ps1 False Set-Acl : The security identifier is not allowed to be the owner of this object. At C:\poista\inherit.ps1:4 char:8 + set-acl <<<< -aclobject$acl "c:\temp"
+ CategoryInfo          : InvalidOperation: (C:\temp:String) [Set-Acl], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand

This actually already different question but it's about partly of this same issue. So if you migh know.

In our old windows 2003 server (terminal server) we have folder structure like f:\users\username

In this our old system end user doesnt have permission to this users folder. Only to folder under users which is same like his username. This is working perfectly in 2003. In 2008 R2 this doesnt work anymore. If user doesnt have least read rights to this users folder he is no able to run that program. The point is that users dont see other user names but it looks that I need to change our architecture or do you have some idea that I could try.

That path how end user is starting the program is here:
"C:\Program Files (x86)\Microsoft Office\Office12\msaccess.exe" /excl /runtime "f:\users\%username%\em7.mdb"

If that user doesnt have rights that users folder he will get error message: "68:Device unvailable".

Thank you very much. I really appreciate your time and effort :)
0

LVL 70

Expert Comment

ID: 33671894

It should let you traverse. However, if it completely refuses you can enable Access Based Enumeration to achieve the same thing (they only see what they have rights to see).

Typically I map our user drives to the user folder directly so the "users\%username%" folder are masked.

e.g.

That way they don't need rights to the folders above at all (under any circumstances), only to their own folder.

Chris
0

Author Comment

ID: 33671941
Yep. In my case I can't map that drive it need be local drive (or let's say that vendor is saying that need to use local paths).

How I can enable this "Access Based Enumeration". Can I use same thing for c:\users (or c:\documents and settings) folder (folder where user profiles are stored). That has been problem because I havent found a way to deny users to see content of this folder.

Thanks :)
0

LVL 70

Expert Comment

ID: 33671972

Oh I see, I assumed mapped. I don't think you can enable Access Based Enumeration on a regular client OS, although I confess I've never actually tried.

I'm afraid I'm not entirely sure how you'd get around it there.

Chris
0

Author Comment

ID: 33672023
Okay. Thanks anyway. You already solved my other issue :)
0

Author Comment

ID: 33676958
Now I used this script in our production environment. Script worked as it should but it wasnt enough. There is couple of files and folders where this inheritance doesnt work yet as it should. Inheritance is checked as it should but permissions are not following for these particular files and folders. I think that in some point these files' and folders' ACL has somehow corrupted. Is there some way to check ACL for whole folder structure and fix it? This folder structure is very old and this is not first time when we have moved it to new server and I think that that's why it has somehow corrupted...
0

LVL 70

Expert Comment

ID: 33680765

It depends on the nature of the problem. It could simply be that specific entries are not set to apply to files.

It's not going to be very easy to fix without knowing exactly what's broken about it :-\

Chris
0

Author Comment

ID: 33681170
Please look my pic. First pic is subfolder. As you can see inheritance is checked. Second pic is parent folder of that first pic. As you can see, these permissions are not moving from parent folder to subfolder. This is my new problem. Most of files and folders started to work after your powershell script but now there is multiple files and folder which are acting like this example.

Thanks again.
inheritance.png
0

LVL 70

Expert Comment

ID: 33681235

Unset then reset inheritance on the child folder and see which entries appear?

When unsetting tell it to Remove the existing entries.

Chris
0

Author Comment

ID: 33681265
Okay. I unset it and all permissions dissapeared. Then I took ownership back to that folder and checked that inheritance back again. Now all permssions came from parent folder... So this way I could solve it... but there is number of this kind of folders and files,,,
0

LVL 70

Expert Comment

ID: 33681297

Hmm you might get around it like this:

$Acl = Get-Acl "TheBrokenFolder"$Acl.SetAccessRuleProtection($True,$False)
Set-Acl "TheBrokenFolder" -AclObject $Acl$Acl = Get-Acl "TheBrokenFolder"
$Acl.SetAccessRuleProtection($False, $False) Set-Acl "TheBrokenFolder" -AclObject$Acl

Ownership may be a problem with that.

Chris
0

Author Comment

ID: 33681331
So you mean that I replcase "TheBrokenfolder" with the path. This folder structure is very deep. Can I just spesify the the first parent folder (e.g. c:\temp).

Timo
0

LVL 70

Expert Comment

ID: 33681430

Yep. We need to test this method first to see if it's a viable fix.

Chris
0

Author Comment

ID: 33681500
I spesified folder which I know that it include files (direct child files) where I have this problem. Here is results. So look like it fail.

Timo

Set-Acl : Attempted to perform an unauthorized operation.
At C:\temp\acl.ps1:6 char:8
+ Set-Acl <<<<  "F:programs\program\users\username\Pro" -AclObject $Acl + CategoryInfo : PermissionDenied: (F:program\...username\Pro:String) [Set-Acl], UnauthorizedAcce ssException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand 0 LVL 70 Expert Comment ID: 33681532 Thought it might do that. Fix up that folder, then try this one please.$Acl = Get-Acl "TheBrokenFolder"
$Acl.SetAccessRuleProtection($True, $False)$Acl.SetAccessRuleProtection($False,$False)
Set-Acl "TheBrokenFolder" -AclObject $Acl It shouldn't really make any difference, but I'd like to give it a try. Chris 0 Author Comment ID: 33681663 Im not sure if I understood. If I run your script as that script before. I dont get any error message but it doesnt neather fix anything. If I fix that folder manually before then there is nothing to fix left. I think that I missed something. Timo 0 LVL 70 Expert Comment ID: 33682543 I'm not really surprised. It changes stuff in the ACL but doesn't commit changes until the end. Anyway, we can't globally fix folders in a structure unless we know what's wrong. We need to be able to test stuff to find a fix. Chris 0 Author Comment ID: 33682592 I tried this script. This almos worked but this skiped these problem files and folders... $ErrorActionPreference = "SilentlyContinue"

$path = 'f:\programs\users'$baseACL = Get-Acl $path$items = Get-ChildItem -Path $path -Recurse foreach ($item in $items) { Set-Acl$item.FullName $baseACL$itemACL = Get-Acl $item.FullName$itemACEs = $itemACL.Access foreach ($itemACE in $itemACEs) { if ($itemACE.IsInherited -eq $FALSE) {$null = $itemACL.RemoveAccessRule($itemACE)
}
}
Set-Acl $item.FullName$itemACL
}

$path =$baseACL = $items =$item = $itemACL =$itemACEs = $itemACE =$ACLset = \$null

0

Author Comment

ID: 33682648
Actually this script which I tried is not a perfect even it would work because it delete these folder spesified permisions but it should not be so big deal because there this username folder has always modify rights for that user which is same name like the folder name. So I think that it's easy to script.

Timo
0

Author Comment

ID: 33682838

I run TAKEOWN /F F:\programs\users /R /A

then I ran that script which I pasted here before. And now it looks that there is no corruption in ACL anymore. My next thing to do is find a way set modify access to users to their own folder.

Timo
0

Author Comment

ID: 33683227
Okay. Now I find a way to set permissions for users to their own folder. I attach that batch here. I think that I have finally solved my issue. Thank you very much.
@echo off
Setlocal
If NOT Exist %1 GOTO bad
If {%3}=={} set perm=C&goto ok
If {%3}=={C} set perm=C&goto ok
If {%3}=={F} set perm=F&goto ok
:ok
Set pf=%1
Set dom=%2
Set pf=%pf:"=%
Set dom=%dom:"=%
For /f "Tokens=*" %%a IN ('Dir "%pf%" /AD /B') DO Set user=%%a&call :parse
Endlocal
Goto :EOF
@echo Usage: SetPerm "Drive:\Directory of Users Parent Folder" "NetBIOS Domain Name" [C or F]
@echo.
Endlocal
Goto :EOF
:parse
For /f "Tokens=5*" %%c IN ('echo Y^| cacls "%pf%\%user%" /E /P "%dom%\%user%":%perm%') do @echo %%d

0

## Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…