I have no idea what’s going on here but when I try to add a permission using Set-Acl on a share where the share itself has inherited permissions, all inherited permissions are removed. Consider the following setup:

Physical Path                Shared as
C:File SystemTopFolder     \ServerTopFolder

If I add permissions on C:File System with inheritance and propagation, those permissions show up on the share \ServerTopFolder. This is expected. If I use Get-Acl and Set-Acl to add Access Rules to \ServerTopFolder then all inherited permissions on that share are removed. Here’s an example:

PS C:Usersadministrator> $FileSystemAcl = Get-Acl -Path "C:File System"

PS C:Usersadministrator> $FileSystemAcl.Access | Select-Object IdentityReference,FileSystemRights,IsInherited

IdentityReference                 FileSystemRights IsInherited
-----------------                 ---------------- -----------
NT AUTHORITYSYSTEM                    FullControl        True
BUILTINAdministrators                 FullControl        True
BUILTINUsers          ReadAndExecute, Synchronize        True
BUILTINUsers                           AppendData        True
BUILTINUsers                          CreateFiles        True
CREATOR OWNER                            268435456        True



PS C:Usersadministrator> $ShareAcl = Get-Acl -Path "\ServerTopFolder"

PS C:Usersadministrator> $ShareAcl.Access | Select-Object IdentityReference,FileSystemRights,IsInherited

IdentityReference                   FileSystemRights IsInherited
-----------------                   ---------------- -----------
DOMAINDomain Admins                     FullControl       False
DOMAINIT Services                       FullControl       False
NT AUTHORITYSYSTEM                      FullControl        True
BUILTINAdministrators                   FullControl        True
BUILTINUsers            ReadAndExecute, Synchronize        True
BUILTINUsers                             AppendData        True
BUILTINUsers                            CreateFiles        True
CREATOR OWNER                              268435456        True


PS C:Usersadministrator> $Permission = "DOMAINAdministrator",
        [System.Security.AccessControl.FileSystemRights]$("Modify", "Synchronize"),
        [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
        [System.Security.AccessControl.PropagationFlags]"None",
        [System.Security.AccessControl.AccessControlType]"Allow"
        $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Permission)

PS C:Usersadministrator> $ShareAcl.SetAccessRule($AccessRule)

PS C:Usersadministrator> Set-Acl -Path "\ServerTopFolder" -AclObject $ShareAcl

PS C:Usersadministrator> $ShareAcl = Get-Acl -Path "\ServerTopFolder"

PS C:Usersadministrator> $ShareAcl.Access | Select-Object IdentityReference,FileSystemRights,IsInherited

IdentityReference           FileSystemRights IsInherited
-----------------           ---------------- -----------
DOMAINadministrator     Modify, Synchronize       False
DOMAINDomain Admins             FullControl       False
DOMAINIT Services               FullControl       False

As you can see, the explicit permissions remain but all inherited permissions are removed. I’ve confirmed that this only happens when you run Set-Acl on the share itself. I’ve also tried to use $ShareAcl.SetAccessRuleProtection($false,$true) to make sure it’s not the handling of existing permissions that is the issue. For any subfolder or file that is not directly shared, this is not an issue. What is the reason for this and is there any way I can circumvent this behaviour?