mcollera · rcarpenter79 · Jul 10, 2018 · Jul 11, 2018 · Jul 13, 2018
diff --git a/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1 b/DscResources/NTFSAccessEntry/NTFSAccessEntry.psm1
@@ -28,6 +28,10 @@ Function Get-TargetResource
         [Microsoft.Management.Infrastructure.CimInstance[]]
         $AccessControlList,
 
+        [Parameter()]
+        [bool]
+        $DisableInheritance = $false,
+
         [Parameter()]
         [bool]
         $Force = $false
@@ -94,6 +98,7 @@ Function Get-TargetResource
         Force = $Force
         Path = $inputPath
         AccessControlList = $CimAccessControlList
+        DisableInheritance = $currentACL.AreAccessRulesProtected
     }
 
     return $ReturnValue
@@ -112,6 +117,10 @@ Function Set-TargetResource
         [Microsoft.Management.Infrastructure.CimInstance[]]
         $AccessControlList,
 
+        [Parameter()]
+        [bool]
+        $DisableInheritance = $false,
+
         [Parameter()]
         [bool]
         $Force = $false
@@ -123,9 +132,29 @@ Function Set-TargetResource
 
     if(Test-Path -Path $inputPath)
     {
-        $currentAcl = Get-Acl -Path $inputPath
+        $DirectoryInfo = Get-Item -Path $inputPath
+
+        $currentAcl = $DirectoryInfo.GetAccessControl()
+
+        $Expected = @()
+
         if($null -ne $currentAcl)
         {
+            if ($currentAcl.AreAccessRulesProtected -ne $DisableInheritance)
+            {
+                if ($currentAcl.AreAccessRulesProtected)
+                {
+                    Write-Verbose -Message 'Enabling inheritance'
+                }
+                else
+                {
+                    Write-Verbose -Message 'Disabling inheritance'
+                }
+
+                $preserveInheritance = $false
+                $currentAcl.SetAccessRuleProtection($DisableInheritance, $preserveInheritance)
+            }
+
             if($Force)
             {
                 foreach($AccessControlItem in $AccessControlList)
@@ -168,17 +197,6 @@ Function Set-TargetResource
                 }
             }
 
-            $isInherited = 0
-            $isInherited += $AbsentToBeRemoved.Rule.Where({$_.IsInherited -eq $true}).Count
-            $isInherited += $ToBeRemoved.Rule.Where({$_.IsInherited -eq $true}).Count
-
-            if($isInherited -gt 0)
-            {
-                $currentAcl.SetAccessRuleProtection($true,$true)
-                Set-Acl -Path $inputPath -AclObject $currentAcl             
-            }
-
-
             foreach($Rule in $ToBeRemoved.Rule)
             {
                 try
@@ -192,7 +210,7 @@ Function Set-TargetResource
                     ("> InheritanceFlags  : '{0}'" -f $Rule.InheritanceFlags),
                     ("> PropagationFlags  : '{0}'" -f $Rule.PropagationFlags) |
                     Write-Verbose
-                    $currentAcl.RemoveAccessRule($Rule)
+                    $currentAcl.RemoveAccessRuleSpecific($Rule)
                 }
                 catch
                 {
@@ -223,26 +241,25 @@ Function Set-TargetResource
                 ("> PropagationFlags  : '{0}'" -f $Rule.PropagationFlags) |
                 Write-Verbose
 
-                $currentAcl.RemoveAccessRule($Rule)
+                $currentAcl.RemoveAccessRuleSpecific($Rule)
             }                      
 
-            foreach($Rule in $Expected)
+            foreach($NonMatchRule in $Expected.Where{$_.Match -eq $false}.Rule)
             {
-                    $NonMatch = $Rule.Rule
-                    ("Adding access rule:"),
-                    ("> Principal         : '{0}'" -f $NonMatch.IdentityReference),
-                    ("> Path              : '{0}'" -f $inputPath),
-                    ("> IdentityReference : '{0}'" -f $NonMatch.IdentityReference),
-                    ("> AccessControlType : '{0}'" -f $NonMatch.AccessControlType),
-                    ("> FileSystemRights  : '{0}'" -f $NonMatch.FileSystemRights),
-                    ("> InheritanceFlags  : '{0}'" -f $NonMatch.InheritanceFlags),
-                    ("> PropagationFlags  : '{0}'" -f $NonMatch.PropagationFlags) |
-                    Write-Verbose
+                ("Adding access rule:"),
+                ("> Principal         : '{0}'" -f $NonMatchRule.IdentityReference),
+                ("> Path              : '{0}'" -f $inputPath),
+                ("> IdentityReference : '{0}'" -f $NonMatchRule.IdentityReference),
+                ("> AccessControlType : '{0}'" -f $NonMatchRule.AccessControlType),
+                ("> FileSystemRights  : '{0}'" -f $NonMatchRule.FileSystemRights),
+                ("> InheritanceFlags  : '{0}'" -f $NonMatchRule.InheritanceFlags),
+                ("> PropagationFlags  : '{0}'" -f $NonMatchRule.PropagationFlags) |
+                Write-Verbose
 
-                    $currentAcl.AddAccessRule($Rule.Rule)
+                $currentAcl.AddAccessRule($NonMatchRule)
             }
 
-            Set-Acl -Path $inputPath -AclObject $currentAcl
+            $DirectoryInfo.SetAccessControl($currentAcl)
         }
         else
         {
@@ -271,6 +288,10 @@ Function Test-TargetResource
         [Microsoft.Management.Infrastructure.CimInstance[]]
         $AccessControlList,
 
+        [Parameter()]
+        [bool]
+        $DisableInheritance = $false,
+
         [Parameter()]
         [bool]
         $Force = $false
@@ -284,16 +305,18 @@ Function Test-TargetResource
     if(Test-Path -Path $inputPath)
     {
         $currentACL = Get-Acl -Path $inputPath
-        $mappedACL = Update-FileSystemRightsMapping($currentAcl)
+        $mappedACL  = Update-FileSystemRightsMapping($currentAcl)
+
+        $Expected = @()
 
         if($null -ne $currentACL)
         {
             if($Force)
             {
                 foreach($AccessControlItem in $AccessControlList)
                 {
-                    $Principal = $AccessControlItem.Principal
-                    $Identity = Resolve-Identity -Identity $Principal
+                    $Principal   = $AccessControlItem.Principal
+                    $Identity    = Resolve-Identity -Identity $Principal
                     $IdentityRef = New-Object System.Security.Principal.NTAccount($Identity.Name)
 
                     $ACLRules += ConvertTo-FileSystemAccessRule -AccessControlList $AccessControlItem -IdentityRef $IdentityRef
@@ -353,7 +376,7 @@ Function Test-TargetResource
 
             if($AbsentToBeRemoved.Count -gt 0)
             {
-                foreach ($rule in $AbsentToBeRemoved)
+                foreach ($rule in $AbsentToBeRemoved.Rule)
                 {
                     ("Found [absent] permission rule:"),
                     ("> Principal         : '{0}'" -f $Rule.IdentityReference),
@@ -371,7 +394,7 @@ Function Test-TargetResource
 
             if($ToBeRemoved.Count -gt 0)
             {
-                foreach ($Rule in $ToBeRemoved)
+                foreach ($Rule in $ToBeRemoved.Rule)
                 {
                     ("Non-matching permission entry found:"),
                     ("> Principal         : '{0}'" -f $Rule.IdentityReference),
@@ -386,6 +409,12 @@ Function Test-TargetResource
 
                 $InDesiredState = $False
             }
+
+            if ($currentACL.AreAccessRulesProtected -ne $DisableInheritance)
+            {
+                Write-Verbose -Message ('Inheritance is {0} and should be {1}.' -f (-not $currentACL.AreAccessRulesProtected), (-not $DisableInheritance))
+                $InDesiredState = $False
+            }
         }
         else
         {
@@ -400,7 +429,7 @@ Function Test-TargetResource
         Write-Verbose -Message $Message
         $InDesiredState = $False
     }
-    
+
     return $InDesiredState
 }
 
@@ -557,7 +586,8 @@ Function Compare-NtfsRule
     $AbsentToBeRemoved = @()
 
     $PresentRules = $Expected.Where({$_.Ensure -eq 'Present'}).Rules
-    $AbsentRules = $Expected.Where({$_.Ensure -eq 'Absent'}).Rules
+    $AbsentRules  = $Expected.Where({$_.Ensure -eq 'Absent'}).Rules
+
     foreach($refrenceObject in $PresentRules)
     {
         $match = $Actual.Where({
@@ -600,7 +630,7 @@ Function Compare-NtfsRule
         }
     }
 
-    foreach($refrenceObject in $Actual)
+    foreach($refrenceObject in $Actual.Where{$_.IsInherited -eq $false})
     {
         $match = @($Expected.Rules).Where({
             (((($_.FileSystemRights.value__ -band $refrenceObject.FileSystemRights.value__) -match "$($_.FileSystemRights.value__)|$($refrenceObject.FileSystemRights.value__)") -and !$Force) -or ($_.FileSystemRights -eq $refrenceObject.FileSystemRights -and $Force)) -and
@@ -633,7 +663,7 @@ Function Update-FileSystemRightsMapping
         $ACE
     )
 
-    foreach($Rule in $ACE.Access)
+    foreach($Rule in $ACE.Access.Where{$_.IsInherited -eq $false})
     {
         $rightsBand = [int]0xf0000000 -band $Rule.FileSystemRights.value__
         if( ($rightsBand -gt 0) -or ($rightsBand -lt 0) )

diff --git a/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof b/DscResources/NTFSAccessEntry/NTFSAccessEntry.schema.mof
@@ -1,24 +1,25 @@
-[ClassVersion("0.9.0.0")]
-class NTFSAccessControlEntry
-{
-    [Required, Description("Indicates whether to allow or deny access to the target item."), ValueMap{"Allow","Deny"}, Values{"Allow","Deny"}] String AccessControlType;    
-    [Required, Description("Indicates the access rights to be granted to the principal."), ValueMap{"AppendData","ChangePermissions","CreateDirectories","CreateFiles","Delete","DeleteSubdirectoriesAndFiles","ExecuteFile","FullControl","ListDirectory","Modify","Read","ReadAndExecute","ReadAttributes","ReadData","ReadExtendedAttributes","ReadPermissions","Synchronize","TakeOwnership","Traverse","Write","WriteAttributes","WriteData","WriteExtendedAttributes"}, Values{"AppendData","ChangePermissions","CreateDirectories","CreateFiles","Delete","DeleteSubdirectoriesAndFiles","ExecuteFile","FullControl","ListDirectory","Modify","Read","ReadAndExecute","ReadAttributes","ReadData","ReadExtendedAttributes","ReadPermissions","Synchronize","TakeOwnership","Traverse","Write","WriteAttributes","WriteData","WriteExtendedAttributes"}] String FileSystemRights[];
-    [Required, Description("Indicates the inheritance type of the permission entry."), ValueMap{"This folder only","This folder subfolders and files","This folder and subfolders","This folder and files","Subfolders and files only","Subfolders only","Files only"}, Values{"This folder only","This folder subfolders and files","This folder and subfolders","This folder and files","Subfolders and files only","Subfolders only","Files only"}] String Inheritance;
-    [Required, ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure;
-};
-
-[ClassVersion("0.9.0.0")]
-class NTFSAccessControlList
-{
-    [Write, Description("Indicates the identity of the principal.")] String Principal;
-    [Write] Boolean ForcePrincipal;
-    [Write, Description("Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class."), EmbeddedInstance("NTFSAccessControlEntry")] String AccessControlEntry[];
-};
-
-[ClassVersion("0.9.0.0"), FriendlyName("NTFSAccessEntry")]
-class NTFSAccessEntry : OMI_BaseResource
-{
-    [Key, Description("Indicates the path to the target item.")] String Path;
-    [Required, Description("Indicates the access control information in the form of an array of instances of the NTFSAccessControlList CIM class."), EmbeddedInstance("NTFSAccessControlList")] String AccessControlList[];
-    [Write] Boolean Force;
-};
+[ClassVersion("0.9.0.0")]
+class NTFSAccessControlEntry
+{
+    [Required, Description("Indicates whether to allow or deny access to the target item."), ValueMap{"Allow","Deny"}, Values{"Allow","Deny"}] String AccessControlType;    
+    [Required, Description("Indicates the access rights to be granted to the principal."), ValueMap{"AppendData","ChangePermissions","CreateDirectories","CreateFiles","Delete","DeleteSubdirectoriesAndFiles","ExecuteFile","FullControl","ListDirectory","Modify","Read","ReadAndExecute","ReadAttributes","ReadData","ReadExtendedAttributes","ReadPermissions","Synchronize","TakeOwnership","Traverse","Write","WriteAttributes","WriteData","WriteExtendedAttributes"}, Values{"AppendData","ChangePermissions","CreateDirectories","CreateFiles","Delete","DeleteSubdirectoriesAndFiles","ExecuteFile","FullControl","ListDirectory","Modify","Read","ReadAndExecute","ReadAttributes","ReadData","ReadExtendedAttributes","ReadPermissions","Synchronize","TakeOwnership","Traverse","Write","WriteAttributes","WriteData","WriteExtendedAttributes"}] String FileSystemRights[];
+    [Required, Description("Indicates the inheritance type of the permission entry."), ValueMap{"This folder only","This folder subfolders and files","This folder and subfolders","This folder and files","Subfolders and files only","Subfolders only","Files only"}, Values{"This folder only","This folder subfolders and files","This folder and subfolders","This folder and files","Subfolders and files only","Subfolders only","Files only"}] String Inheritance;
+    [Required, ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] String Ensure;
+};
+
+[ClassVersion("0.9.0.0")]
+class NTFSAccessControlList
+{
+    [Write, Description("Indicates the identity of the principal.")] String Principal;
+    [Write] Boolean ForcePrincipal;
+    [Write, Description("Indicates the access control entry in the form of an array of instances of the AccessControlList CIM class."), EmbeddedInstance("NTFSAccessControlEntry")] String AccessControlEntry[];
+};
+
+[ClassVersion("0.9.0.0"), FriendlyName("NTFSAccessEntry")]
+class NTFSAccessEntry : OMI_BaseResource
+{
+    [Key, Description("Indicates the path to the target item.")] String Path;
+    [Required, Description("Indicates the access control information in the form of an array of instances of the NTFSAccessControlList CIM class."), EmbeddedInstance("NTFSAccessControlList")] String AccessControlList[];
+    [Write] Boolean DisableInheritance;
+    [Write] Boolean Force;
+};