FileAclTools.psm1

<#
.Synopsis
   Wrapper for ACLs to allow easy setting or resetting.
.DESCRIPTION
   Wrapper for ACLs to allow easy setting or resetting.
.EXAMPLE
   Reset-FolderPermission -Path "\\sever.name.ext\share\path\childpath" -ReplaceOwner -ResetInheritance
#>

function Add-FolderAcl
{
    [CmdletBinding()]
    [Alias("Add-FolderPermission")]
    [OutputType([System.IO.DirectoryInfo])]
    Param
    (
        # Directory to perfom ACL modification (accepts directoryinfo, a string that resolves to a directory, etc).
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        [ValidateScript({Test-Path -Path $_})]
        [System.IO.DirectoryInfo[]]
        $Path,
        # Add ACE granting full control to builtin administrators group.
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=1)]
        [Switch]
        $AddAdministrators=$false,
        # Replace owner with builtin administrators group.
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=2)]
        [Switch]
        $ReplaceOwner=$false,
        # Add ACE granting full control to the local system identity.
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=3)]
        [Switch]
        $AddSystem=$true,
        # Enable ACL inheritance from parent.
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=4)]
        [Switch]
        $ResetInheritance=$false,
        # Reset the entire ACL. Enables inheritance and removes direct ACL entries. Use sparingly.
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$false,
                   Position=4)]
        [Switch]
        $ResetAcl=$false
    )

    Begin
    {
        $Administrators = [System.Security.Principal.SecurityIdentifier]::new("BA")
        $AdminsFullControlAce = [System.Security.AccessControl.FileSystemAccessRule]::new(
            [System.Security.Principal.IdentityReference]([System.Security.Principal.SecurityIdentifier]::new("BA")),
            [System.Security.AccessControl.FileSystemRights]::FullControl,
            [System.Security.AccessControl.InheritanceFlags]::ContainerInherit+[System.Security.AccessControl.InheritanceFlags]::ObjectInherit,
            [System.Security.AccessControl.PropagationFlags]::None,
            [System.Security.AccessControl.AccessControlType]::Allow
        )
        $SystemFullControlAce = [System.Security.AccessControl.FileSystemAccessRule]::new(
            [System.Security.Principal.IdentityReference]([System.Security.Principal.SecurityIdentifier]::new("SY")),
            [System.Security.AccessControl.FileSystemRights]::FullControl,
            [System.Security.AccessControl.InheritanceFlags]::ContainerInherit+[System.Security.AccessControl.InheritanceFlags]::ObjectInherit,
            [System.Security.AccessControl.PropagationFlags]::None,
            [System.Security.AccessControl.AccessControlType]::Allow
        )
    }
    Process
    {
        $Path |
        ForEach-Object {
            $acl = $null
            $acl = Get-Acl -Path $_ 
            If ($acl) {
                If ($ResetAcl) {
                    Write-Verbose "Resetting ACL on `"$_`""
                    $acl.SetAccessRuleProtection($false,$false)
                    $acl.Access | 
                    Where-Object { $_.isinherited -eq $false } |
                    ForEach-Object { $acl.RemoveAccessRule($_) }
                }
                If ($ReplaceOwner) {
                    Write-Verbose "Replacing owner on `"$_`""
                    $acl.SetOwner($Administrators)
                }
                If ($AddAdministrators) {
                    Write-Verbose "Adding full access for BUILTIN\Administrators on `"$_`""
                    $acl.AddAccessRule($AdminsFullControlAce)
                }
                If ($AddSystem) {
                    Write-Verbose "Adding full access for BUILTIN\LocalSystem on `"$_`""
                    $acl.AddAccessRule($SystemFullControlAce)
                }
                If ($ResetInheritance) {
                    Write-Verbose "Resetting inheritance on `"$_`""
                    $acl.SetAccessRuleProtection($false,$false)
                }
            }
            $acl | Set-Acl
        }

    }
    End
    {
    }
}