diff --git a/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 b/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 index 5e48123..8f25740 100644 --- a/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 +++ b/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 @@ -28,6 +28,10 @@ Function Get-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $AccessControlList, + [Parameter()] + [bool] + $DisableInheritance = $false, + [Parameter()] [bool] $Force = $false @@ -94,6 +98,7 @@ Function Get-TargetResource Force = $Force Path = $inputPath AccessControlList = $CimAccessControlList + DisableInheritance = $currentACL.AreAccessRulesProtected } return $ReturnValue @@ -112,6 +117,10 @@ Function Set-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $AccessControlList, + [Parameter()] + [bool] + $DisableInheritance = $false, + [Parameter()] [bool] $Force = $false @@ -123,9 +132,29 @@ Function Set-TargetResource if(Test-Path -Path $inputPath) { - $currentAcl = Get-Acl -Path $inputPath + $DirectoryInfo = Get-Item -Path $inputPath + + $currentAcl = $DirectoryInfo.GetAccessControl() + + $Expected = @() + if($null -ne $currentAcl) { + if ($currentAcl.AreAccessRulesProtected -ne $DisableInheritance) + { + if ($currentAcl.AreAccessRulesProtected) + { + Write-Verbose -Message 'Enabling inheritance' + } + else + { + Write-Verbose -Message 'Disabling inheritance' + } + + $preserveInheritance = $false + $currentAcl.SetAccessRuleProtection($DisableInheritance, $preserveInheritance) + } + if($Force) { foreach($AccessControlItem in $AccessControlList) @@ -168,17 +197,6 @@ Function Set-TargetResource } } - $isInherited = 0 - $isInherited += $AbsentToBeRemoved.Rule.Where({$_.IsInherited -eq $true}).Count - $isInherited += $ToBeRemoved.Rule.Where({$_.IsInherited -eq $true}).Count - - if($isInherited -gt 0) - { - $currentAcl.SetAccessRuleProtection($true,$true) - Set-Acl -Path $inputPath -AclObject $currentAcl - } - - foreach($Rule in $ToBeRemoved.Rule) { try @@ -192,7 +210,7 @@ Function Set-TargetResource ("> InheritanceFlags : '{0}'" -f $Rule.InheritanceFlags), ("> PropagationFlags : '{0}'" -f $Rule.PropagationFlags) | Write-Verbose - $currentAcl.RemoveAccessRule($Rule) + $currentAcl.RemoveAccessRuleSpecific($Rule) } catch { @@ -223,26 +241,25 @@ Function Set-TargetResource ("> PropagationFlags : '{0}'" -f $Rule.PropagationFlags) | Write-Verbose - $currentAcl.RemoveAccessRule($Rule) + $currentAcl.RemoveAccessRuleSpecific($Rule) } - foreach($Rule in $Expected) + foreach($NonMatchRule in $Expected.Where{$_.Match -eq $false}.Rule) { - $NonMatch = $Rule.Rule - ("Adding access rule:"), - ("> Principal : '{0}'" -f $NonMatch.IdentityReference), - ("> Path : '{0}'" -f $inputPath), - ("> IdentityReference : '{0}'" -f $NonMatch.IdentityReference), - ("> AccessControlType : '{0}'" -f $NonMatch.AccessControlType), - ("> FileSystemRights : '{0}'" -f $NonMatch.FileSystemRights), - ("> InheritanceFlags : '{0}'" -f $NonMatch.InheritanceFlags), - ("> PropagationFlags : '{0}'" -f $NonMatch.PropagationFlags) | - Write-Verbose + ("Adding access rule:"), + ("> Principal : '{0}'" -f $NonMatchRule.IdentityReference), + ("> Path : '{0}'" -f $inputPath), + ("> IdentityReference : '{0}'" -f $NonMatchRule.IdentityReference), + ("> AccessControlType : '{0}'" -f $NonMatchRule.AccessControlType), + ("> FileSystemRights : '{0}'" -f $NonMatchRule.FileSystemRights), + ("> InheritanceFlags : '{0}'" -f $NonMatchRule.InheritanceFlags), + ("> PropagationFlags : '{0}'" -f $NonMatchRule.PropagationFlags) | + Write-Verbose - $currentAcl.AddAccessRule($Rule.Rule) + $currentAcl.AddAccessRule($NonMatchRule) } - Set-Acl -Path $inputPath -AclObject $currentAcl + $DirectoryInfo.SetAccessControl($currentAcl) } else { @@ -271,6 +288,10 @@ Function Test-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $AccessControlList, + [Parameter()] + [bool] + $DisableInheritance = $false, + [Parameter()] [bool] $Force = $false @@ -284,7 +305,9 @@ Function Test-TargetResource if(Test-Path -Path $inputPath) { $currentACL = Get-Acl -Path $inputPath - $mappedACL = Update-FileSystemRightsMapping($currentAcl) + $mappedACL = Update-FileSystemRightsMapping($currentAcl) + + $Expected = @() if($null -ne $currentACL) { @@ -292,8 +315,8 @@ Function Test-TargetResource { foreach($AccessControlItem in $AccessControlList) { - $Principal = $AccessControlItem.Principal - $Identity = Resolve-Identity -Identity $Principal + $Principal = $AccessControlItem.Principal + $Identity = Resolve-Identity -Identity $Principal $IdentityRef = New-Object System.Security.Principal.NTAccount($Identity.Name) $ACLRules += ConvertTo-FileSystemAccessRule -AccessControlList $AccessControlItem -IdentityRef $IdentityRef @@ -353,7 +376,7 @@ Function Test-TargetResource if($AbsentToBeRemoved.Count -gt 0) { - foreach ($rule in $AbsentToBeRemoved) + foreach ($rule in $AbsentToBeRemoved.Rule) { ("Found [absent] permission rule:"), ("> Principal : '{0}'" -f $Rule.IdentityReference), @@ -371,7 +394,7 @@ Function Test-TargetResource if($ToBeRemoved.Count -gt 0) { - foreach ($Rule in $ToBeRemoved) + foreach ($Rule in $ToBeRemoved.Rule) { ("Non-matching permission entry found:"), ("> Principal : '{0}'" -f $Rule.IdentityReference), @@ -386,6 +409,12 @@ Function Test-TargetResource $InDesiredState = $False } + + if ($currentACL.AreAccessRulesProtected -ne $DisableInheritance) + { + Write-Verbose -Message ('Inheritance is {0} and should be {1}.' -f (-not $currentACL.AreAccessRulesProtected), (-not $DisableInheritance)) + $InDesiredState = $False + } } else { @@ -400,7 +429,7 @@ Function Test-TargetResource Write-Verbose -Message $Message $InDesiredState = $False } - + return $InDesiredState } @@ -557,7 +586,8 @@ Function Compare-NtfsRule $AbsentToBeRemoved = @() $PresentRules = $Expected.Where({$_.Ensure -eq 'Present'}).Rules - $AbsentRules = $Expected.Where({$_.Ensure -eq 'Absent'}).Rules + $AbsentRules = $Expected.Where({$_.Ensure -eq 'Absent'}).Rules + foreach($refrenceObject in $PresentRules) { $match = $Actual.Where({ @@ -600,7 +630,7 @@ Function Compare-NtfsRule } } - foreach($refrenceObject in $Actual) + foreach($refrenceObject in $Actual.Where{$_.IsInherited -eq $false}) { $match = @($Expected.Rules).Where({ (((($_.FileSystemRights.value__ -band $refrenceObject.FileSystemRights.value__) -match "$($_.FileSystemRights.value__)|$($refrenceObject.FileSystemRights.value__)") -and !$Force) -or ($_.FileSystemRights -eq $refrenceObject.FileSystemRights -and $Force)) -and @@ -633,7 +663,7 @@ Function Update-FileSystemRightsMapping $ACE ) - foreach($Rule in $ACE.Access) + foreach($Rule in $ACE.Access.Where{$_.IsInherited -eq $false}) { $rightsBand = [int]0xf0000000 -band $Rule.FileSystemRights.value__ if( ($rightsBand -gt 0) -or ($rightsBand -lt 0) ) diff --git a/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof b/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof index deae0f5..04a0afb 100644 --- a/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof +++ b/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof @@ -1,24 +1,25 @@ -[ClassVersion("0.9.0.0")] -class NTFSAccessControlEntry -{ - [Required, Description("Indicates whether to allow or deny access to the target item."), ValueMap{"Allow","Deny"}, Values{"Allow","Deny"}] String AccessControlType; - [Required, Description("Indicates the access rights to be granted to the principal."), ValueMap{"AppendData","ChangePermissions","CreateDirectories","CreateFiles","Delete","DeleteSubdirectoriesAndFiles","ExecuteFile","FullControl","ListDirectory","Modify","Read","ReadAndExecute","ReadAttributes","ReadData","ReadExtendedAttributes","ReadPermissions","Synchronize","TakeOwnership","Traverse","Write","WriteAttributes","WriteData","WriteExtendedAttributes"}, Values{"AppendData","ChangePermissions","CreateDirectories","CreateFiles","Delete","DeleteSubdirectoriesAndFiles","ExecuteFile","FullControl","ListDirectory","Modify","Read","ReadAndExecute","ReadAttributes","ReadData","ReadExtendedAttributes","ReadPermissions","Synchronize","TakeOwnership","Traverse","Write","WriteAttributes","WriteData","WriteExtendedAttributes"}] String FileSystemRights[]; - [Required, Description("Indicates the inheritance type of the permission entry."), ValueMap{"This folder only","This folder subfolders and files","This folder and subfolders","This folder and files","Subfolders and files only","Subfolders only","Files only"}, Values{"This folder only","This folder subfolders and files","This folder and subfolders","This folder and files","Subfolders and files only","Subfolders only","Files only"}] String Inheritance; - [Required, ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure; -}; - -[ClassVersion("0.9.0.0")] -class NTFSAccessControlList -{ - [Write, Description("Indicates the identity of the principal.")] String Principal; - [Write] Boolean ForcePrincipal; - [Write, Description("Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class."), EmbeddedInstance("NTFSAccessControlEntry")] String AccessControlEntry[]; -}; - -[ClassVersion("0.9.0.0"), FriendlyName("NTFSAccessEntry")] -class NTFSAccessEntry : OMI_BaseResource -{ - [Key, Description("Indicates the path to the target item.")] String Path; - [Required, Description("Indicates the access control information in the form of an array of instances of the NTFSAccessControlList CIM class."), EmbeddedInstance("NTFSAccessControlList")] String AccessControlList[]; - [Write] Boolean Force; -}; +[ClassVersion("0.9.0.0")] +class NTFSAccessControlEntry +{ + [Required, Description("Indicates whether to allow or deny access to the target item."), ValueMap{"Allow","Deny"}, Values{"Allow","Deny"}] String AccessControlType; + [Required, Description("Indicates the access rights to be granted to the principal."), ValueMap{"AppendData","ChangePermissions","CreateDirectories","CreateFiles","Delete","DeleteSubdirectoriesAndFiles","ExecuteFile","FullControl","ListDirectory","Modify","Read","ReadAndExecute","ReadAttributes","ReadData","ReadExtendedAttributes","ReadPermissions","Synchronize","TakeOwnership","Traverse","Write","WriteAttributes","WriteData","WriteExtendedAttributes"}, Values{"AppendData","ChangePermissions","CreateDirectories","CreateFiles","Delete","DeleteSubdirectoriesAndFiles","ExecuteFile","FullControl","ListDirectory","Modify","Read","ReadAndExecute","ReadAttributes","ReadData","ReadExtendedAttributes","ReadPermissions","Synchronize","TakeOwnership","Traverse","Write","WriteAttributes","WriteData","WriteExtendedAttributes"}] String FileSystemRights[]; + [Required, Description("Indicates the inheritance type of the permission entry."), ValueMap{"This folder only","This folder subfolders and files","This folder and subfolders","This folder and files","Subfolders and files only","Subfolders only","Files only"}, Values{"This folder only","This folder subfolders and files","This folder and subfolders","This folder and files","Subfolders and files only","Subfolders only","Files only"}] String Inheritance; + [Required, ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure; +}; + +[ClassVersion("0.9.0.0")] +class NTFSAccessControlList +{ + [Write, Description("Indicates the identity of the principal.")] String Principal; + [Write] Boolean ForcePrincipal; + [Write, Description("Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class."), EmbeddedInstance("NTFSAccessControlEntry")] String AccessControlEntry[]; +}; + +[ClassVersion("0.9.0.0"), FriendlyName("NTFSAccessEntry")] +class NTFSAccessEntry : OMI_BaseResource +{ + [Key, Description("Indicates the path to the target item.")] String Path; + [Required, Description("Indicates the access control information in the form of an array of instances of the NTFSAccessControlList CIM class."), EmbeddedInstance("NTFSAccessControlList")] String AccessControlList[]; + [Write] Boolean DisableInheritance; + [Write] Boolean Force; +}; diff --git a/Tests/Unit/NTFSAccessEntry.Tests.ps1 b/Tests/Unit/NTFSAccessEntry.Tests.ps1 index a6b04a5..5f047eb 100644 --- a/Tests/Unit/NTFSAccessEntry.Tests.ps1 +++ b/Tests/Unit/NTFSAccessEntry.Tests.ps1 @@ -106,11 +106,12 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Absen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights ChangePermissions -Inheritance 'This Folder and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } - Set-NewTempItemAcl -ItemType Directory -Path $ContextParams.Path + Set-NewTempItemAcl -ItemType Directory -Path $ContextParams.Path It 'Should return True' { Test-TargetResource @ContextParams | Should Be $true @@ -121,8 +122,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Absen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Deny -FileSystemRights ChangePermissions -Inheritance 'This Folder and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -164,8 +166,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Absen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights Modify -Inheritance 'This Folder Only' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -207,8 +210,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Absen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -269,8 +273,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Prese $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights ReadAndExecute -Inheritance 'This Folder Subfolders and Files' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -312,8 +317,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Prese $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights @("CreateFiles", "AppendData") -Inheritance 'Subfolders and Files Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -337,8 +343,9 @@ Describe "$DSCResourceName\Test-TargetResource behavior with Ensure set to Prese $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -384,8 +391,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -429,8 +437,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights ReadAndExecute -Inheritance 'This Folder Subfolders and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -490,8 +499,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights DeleteSubdirectoriesAndFiles -Inheritance 'This Folder Subfolders and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -550,8 +560,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights ReadAndExecute -Inheritance 'This Folder Subfolders and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -610,8 +621,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Absent $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights Modify -Inheritance 'This Folder Only' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -662,8 +674,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -737,8 +750,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights 'Modify' -Inheritance 'This Folder Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -796,8 +810,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights 'Modify' -Inheritance 'This Folder Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule ` @@ -854,8 +869,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $true -AccessControlType Allow -FileSystemRights 'Modify' -Inheritance 'This Folder Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -904,8 +920,9 @@ Describe "$DSCResourceName\Set-TargetResource behavior with Ensure set to Presen $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal 'Everyone' -ForcePrincipal $false -AccessControlType Allow -FileSystemRights 'Modify' -Inheritance 'This Folder Only' -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -1091,8 +1108,9 @@ Describe "$DSCResourceName\Compare-NtfsRule" { $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -FileSystemRights FullControl -Inheritance 'This Folder and Files' -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -1146,8 +1164,9 @@ Describe "$DSCResourceName\Compare-NtfsRule" { $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal "Everyone" -ForcePrincipal $true -AccessControlType Allow -FileSystemRights "ReadAndExecute" -Inheritance "This folder subfolders and files" -Ensure Absent $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -1201,8 +1220,9 @@ Describe "$DSCResourceName\Compare-NtfsRule" { $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -FileSystemRights "ReadAndExecute" -Inheritance "This folder subfolders and files" -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @( @@ -1247,8 +1267,9 @@ Describe "$DSCResourceName\Compare-NtfsRule" { $pathName = "$TestDrive\TestDirectory" $TempAcl = New-AccessControlList -Principal "Everyone" -ForcePrincipal $false -AccessControlType Allow -FileSystemRights "Modify" -Inheritance "This Folder Only" -Ensure Present $ContextParams = @{ - Path = $pathName - AccessControlList = $TempAcl + Path = $pathName + AccessControlList = $TempAcl + DisableInheritance = $true } $TempAccessRules = @(