I found the following code on the internets that appears to do what I want it to, namely grant read and execute access on a folder and all subfolders and files to various AD groups.
Project path is the top-level folder for the groups in the $Domains\$Groups combos.
$Acl = (Get-Item $ProjectPath).GetAccessControl('Access')
foreach ($Domain in $Domains)
foreach ($Group in $Groups)
$ADGroup = "$Domain\$Group"
if ($Acl.AccessToString.IndexOf($ADGroup) -eq -1)
$permissions = $AdGroup, 'Read,ReadAndExecute,ListDirectory', 'ContainerInherit,ObjectInherit', 'None', 'Allow'
$Ar = New-Object System.Security.Accesscontrol.Filesystemaccessrule -ArgumentList $permissions
Set-Acl -Path $ProjectPath -AclObject $Acl
I expect that all child objects (folders and files) will get the permissions I grant to the parent folder. So far, this is working as it should. The current, child and grandchild files and folders all have the intended permissions.
Today, a user dropped a new file into a child folder. The file did not inherit all the permissions granted above. Not sure I understand why the groups to which I granted read and execute above can't see/read that file?