View/Configure Protected ACL and Fixing Broken Inheritance


ACL inheritance is one of key concept in Active Directory delegation of control. It allows ACEs set on a parent container gets inherited by its child objects. It simplifies access management significantly as it allows the management to be done on the container level rather than on individual leaf objects. However, sometimes we may want to block such inheritance on some special objects. With a protected ACL set on the object, any inheritable ACEs set on its parent will not be able to propagate down to the object and as a result only the ACEs explicitly set on it take effect. The following examples show how to find out a protected ACL and set/unset such an ACL:

## Get the object’s DACL

PS AD:\> $acl = get-acl "OU=myou,DC=fabrikam,DC=com”

## Finding out if an ACL is protected is very simple.

PS AD:\> $acl.AreAccessRulesProtected

## When setting ACL to be protected with SetAccessRuleProtection with the first parameter set to $true, we also 

## have two options for the ACEs already inherited, we may choose either to remove them or convert them to 

## explicit ACEs. In the example below, we choose to convert the inherited ACEs by setting the second parameter 

## to $true.  

PS AD:\> $acl.SetAccessRuleProtection($true, $true);

## Make sure set the ACL on the object after the change has been made to the ACL.

PS AD:\> set-acl -aclobject $acl "OU=myou,DC=fabrikam,DC=com”

## Once the ACL is protected the inheritance chain is broken

## To unprotect the ACL (i.e. to fix the broken inheritance), set the first parameter to $false. The second parameter is ignored in the case.

PS AD:\> $acl.SetAccessRuleProtection($false, $false);

## Always make sure set the ACL on the object after any change has been made to the ACL

PS AD:\> set-acl -aclobject $acl "OU=myou,DC=fabrikam,DC=com”

Thanks,

David

Comments (2)

  1. When I modify the ACL with any command, it blocks inheritance on the shared directory. I.e., after running these commands:

      $ACL = Get-ACL "N:"

      $ACL.SetAccessRuleProtection($false, $false)  

      Set-Acl "N:" $acl

    all inheritance is blocked. It appears to be unblocked. But to make it work again, you have to manually go into the file properties, uncheck, and re-check the box, "Include inheritable permissions from this object's parent."

    The same thing happens when I attempt to change access rules in order to add permissions for another group. I have used both the UNC and a mapped drive in an effort to fix this. Neither helps. The directory in question is on the file server, at the root of a volume. My local machine is Windows 7, fully updated. The server is Server 2008 R2 with all critical fixes applied. Any assistance you can provide would certainly be welcome!

  2. Keith says:

    Should be:

    $acl.SetAccessRuleProtection($false, $true);