Powershell Script to add Administrators with full permissions adds Admin group with NO permissions

Question

We have a shared drive that was very poorly managed for years. Full Control was given to users that had no reason to have full permissions. Naturally, they removed the administrators because "they don't need to see my things."

In an effort to reclaim control over everything on my network, I attempted to create a Powershell script that will do two things:

1. Recersively Take Ownership of every folder and file
2. Add my default Admin group and give it Full Control

Step 1 works like a charm, but step 2 only gets me halfway there. My script successfully adds the Admin group, but it gives NO permissions.

Pardon how crude the script is, it's a bit of a Frankenstein's Monster as I copy-pasted a few different scripts I found online to get this far.

function Recurse-Folder($folderPath, $identity){

 Get-ChildItem $folderPath -Recurse |

 Foreach-Object {
  Take-Ownership $_.FullName $identity 
  }
}


function Take-Ownership($object, $identity) {

 # Give ownership of object to default admin group
 takeown.exe /A /F $object


 # Create new ACL
 $acl = Get-Acl -Path $object
 
 # Set properties
 # $identity = "BUILTIN\Administrators"
 $fileSystemRights= "FullControl"
 $inheritanceFlags = "None"
 $propagationFlags = "None"
 $type = "Allow"
 
 # Create new rule
 $ruleArgs = $identity, $fileSystemRights, $inheritanceFlags, $propagationFlags, $type
 $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($ruleArgs)
 
 # Apply new rule
 $acl.SetAccessRule($rule)

 (Get-Item $object).SetAccessControl($acl)


}


$Path = '\\ShareServer1\Share\'
$identity = 'BUILTIN\Administrators'
# $identity = 'NetAdmin'

Take-OwnerShip $Path $identity
Recurse-Folder $Path $identity


Write-Host
Write-Host Done...
Read-Host

Answer 1

$inheritanceFlags = "None"; $propagationFlags = "None" - This means you add permissions only to $object itself, without files and folders inside. This results this (I used$identity = 'Everyone' for this):

---

I recommend you to manually set required ACL through GUI and then using (Get-Acl -Path '\\x\share\TestFolder').Access | ? {-not $_.IsInherited} look up for correct Inheritance\Propagation combo.

---

To Enable inheritance on subfolders or files, you can use $acl.SetAccessRuleProtection($false,$true) and $acl.SetAuditRuleProtection($false,$true). Read the docs.