Functions/Protect-Acl.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

function Protect-Acl
{
    <#
    .SYNOPSIS
    Protects an ACL so that changes to its parent can't be inherited to it.
     
    .DESCRIPTION
    New items in the registry or file system will usually inherit ACLs from its parent. This function stops an item from inheriting rules from its, and will optionally preserve the existing inherited rules. Any existing, non-inherited access rules are left in place.
     
    .LINK
    Grant-Permission
     
    .EXAMPLE
    Protect-Acl -Path C:\Projects\Carbon
     
    Removes all inherited access rules from the `C:\Projects\Carbon` directory. Non-inherited rules are preserved.
     
    .EXAMPLE
    Protect-Acl -Path hklm:\Software\Carbon -Preserve
     
    Stops `HKLM:\Software\Carbon` from inheriting acces rules from its parent, but preserves the existing, inheritied access rules.
    #>

    [CmdletBinding(SupportsShouldProcess=$true)]
    param(
        [Parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
        [string]
        # The file system or registry path whose
        $Path,
        
        [Switch]
        # Keep the inherited access rules on this item.
        $Preserve
    )
    
    Set-StrictMode -Version 'Latest'

    Use-CallerPreference -Cmdlet $PSCmdlet -Session $ExecutionContext.SessionState

    Write-Verbose "Removing access rule inheritance on '$Path'."
    $acl = Get-Acl -Path $Path
    $acl.SetAccessRuleProtection( $true, $Preserve )
    $acl | Set-Acl -Path $Path
}

Set-Alias -Name Unprotect-AclAccessRules -Value Protect-Acl