fixed bugs with flipped protection attribute

1 files changed, 15 insertions, 11 deletions

diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1
index 35b6809d..0d808bb8 100644
--- a/windows/win_acl_inheritance.ps1
+++ b/windows/win_acl_inheritance.ps1
@@ -38,20 +38,14 @@ Try {
     $inheritanceEnabled = !$objACL.AreAccessRulesProtected
 
     If (($state -eq "present") -And !$inheritanceEnabled) {
-        If ($reorganize) {
-            $objACL.SetAccessRuleProtection($True, $True)
-        } Else {
-            $objACL.SetAccessRuleProtection($True, $False)
-        }
-
-        Set-ACL $path $objACL
-        Set-Attr $result "changed" $true;
-    }
-    Elseif (($state -eq "absent") -And $inheritanceEnabled) {
         # second parameter is ignored if first=$False
         $objACL.SetAccessRuleProtection($False, $False)
 
         If ($reorganize) {
+            # it wont work without intermediate save, state would be the same
+            Set-ACL $path $objACL
+            $objACL = Get-ACL $path
+
             # convert explicit ACE to inherited ACE
             ForEach($inheritedRule in $objACL.Access) {
                 If (!$inheritedRule.IsInherited) {
@@ -59,7 +53,7 @@ Try {
                 }
 
                 ForEach($explicitRrule in $objACL.Access) {
-                    If ($inheritedRule.IsInherited) {
+                    If ($explicitRrule.IsInherited) {
                         Continue
                     }
 
@@ -73,6 +67,16 @@ Try {
         Set-ACL $path $objACL
         Set-Attr $result "changed" $true;
     }
+    Elseif (($state -eq "absent") -And $inheritanceEnabled) {
+        If ($reorganize) {
+            $objACL.SetAccessRuleProtection($True, $True)
+        } Else {
+            $objACL.SetAccessRuleProtection($True, $False)
+        }
+
+        Set-ACL $path $objACL
+        Set-Attr $result "changed" $true;
+    }
 }
 Catch {
     Fail-Json $result "an error occured when attempting to disable inheritance"