dsccommunity
NoPropagateInherit is not boolean but can be 0, 1 or 2
Setting ace to 'ReadAndExecute' with 'SubfoldersOnly' and 'NoPropagateInherit' = $true does not end in the correct result. ACE in 'PropagationFlags' should be 'NoPropagateInherit, InheritOnly' but is 'NoPropagateInherit' only witch is not the correct result. (the problem may be in File 'cNtfsPermissionEntry.psm1' at starting line 739)
cNtfsPermissionEntry ('[{0}]:Users' -f $Path) { Ensure = 'Present' Path = $Path Principal = ('BUILTIN\Users') AccessControlInformation = @( cNtfsAccessControlInformation { AccessControlType = 'Allow' FileSystemRights = 'ReadAndExecute', 'Synchronize' Inheritance = 'SubFoldersOnly' NoPropagateInherit = $true } ) }
should result in: FileSystemRights AccessControlType IdentityReference IsInherited InheritanceFlags PropagationFlags ---------------- ----------------- ----------------- ----------- ---------------- ---------------- ReadAndExecute, Synchronize Allow BUILTIN\Users False ContainerInherit NoPropagateInherit, InheritOnly
but really results in: FileSystemRights AccessControlType IdentityReference IsInherited InheritanceFlags PropagationFlags ---------------- ----------------- ----------------- ----------- ---------------- ---------------- ReadAndExecute, Synchronize Allow BUILTIN\Users False ContainerInherit NoPropagateInherit
function New-FileSystemAccessRule should be changed at line 739 from: if ($NoPropagateInherit -eq $true -and $InheritanceFlags -ne 'None') { [System.Security.AccessControl.PropagationFlags]$PropagationFlags = 'NoPropagateInherit' }
To: if ($NoPropagateInherit -eq $true -and $InheritanceFlags -ne 'None') { if ($PropagationFlags -eq 'None') { [System.Security.AccessControl.PropagationFlags]$PropagationFlags = 'NoPropagateInherit' } else { [System.Security.AccessControl.PropagationFlags]$PropagationFlags = 'NoPropagateInherit', 'InheritOnly' } }
This does solve the problem for me.