PowerShell Configuring NTFS Advanced Permissions

I am trying to apply the NTFS permissions that are defined on the Advanced tab of Windows security settings. One ACL $Rulefor This folder onlyand one for Subfolders and files only.

Permissions are greatly changed, as shown below:

(Get-Acl 'L:\Test\Beez\RAPJOUR\Appels List\Correct').Access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : CreateFiles, AppendData, DeleteSubdirectoriesAndFiles, ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : DeleteSubdirectoriesAndFiles, Modify, Synchronize
AccessControlType : Allow
IdentityReference : Domain\Dirk
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

• All inclusive except: Full control, Record of attributes, Record of extended attributes, Deletion, Change of permissions and Acceptance of property rights.

• All inclusive, except: Full control, Change permissions and Take part.

This is part of the code that I use to apply permissions. In this case, it should be defined in part Change:

 $f = 'L:\Test\Beez\RAPJOUR\Appels List\Wrong'
 $ADobject = 'Domain\User'
 $acl = Get-Acl $f

 $Grant = 'Change'
    # Remove user/group first
    $rule = New-Object system.security.AccessControl.FileSystemAccessRule("$ADobject","Read",,,"Allow")
    $acl.RemoveAccessRuleAll($rule)

    # Add read permissions
    if ($Grant -eq 'ReadAndExecute') {
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
    }

    if ($Grant -eq 'Change') {
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "Synchronize", "Allow  DeleteSubdirectoriesAndFiles")
        $acl.AddAccessRule($rule)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "AppendData", "ContainerInherit, ObjectInherit", "ReadAndExecute","Synchronize", "Allow  CreateFiles","DeleteSubdirectoriesAndFiles")
    }

    if ($Grant -eq 'Modify') {
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
    }

    if ($Grant -eq 'FullControl') {
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    }

    if ($Grant -eq 'ListFolderContents') {
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$ADobject", "ReadAndExecute", "ContainerInherit", "None", "Allow")
    }

$acl.AddAccessRule($rule)
Set-Acl $f $acl

I cannot force the syntax correctly .. Thanks for your help.

Thanks to this post, I already found this part for:

• ' ': "ContainerInherit, ObjectInherit", "InheritOnly"
• ' ': "None", "InheritOnly"