I have two scripts: the first one creates a new root folder, and the second one creates a new child folder.

It is MOSTLY working correctly, but when the inherited permissions are pulled down to the child folder the permissions don't show on the Security tab. However, if I check Advanced the permissions are showing correctly...

This seems to be causing issues since the inherited permissions don't seem to be applying to the folder correctly.

What am I doing wrong? To clarify with an image:

Here are my two scripts:

Root/Parent Folder Creation:

    # Create initial ACE
    # Create the initial Object
    # Set domain - This could also be changed to prompt for domain if we decide it is needed
    # Define local Administrators group by Well Known SID
    # Set additional ACEs for the new AD File Share Groups
    # Set ACLs on the new folder
function New-Ace {
  [CmdletBinding()]
  Param(
    [Parameter(Mandatory=$true, Position=0)]
    [Security.Principal.NTAccount]$Account,
    [Parameter(Mandatory=$false, Position=1)]
    [Security.AccessControl.FileSystemRights]$Permissions = 'ReadAndExecute',
    [Parameter(Mandatory=$false, Position=2)]
    [Security.AccessControl.InheritanceFlags]$InheritanceFlags = 'ContainerInherit,ObjectInherit',
    [Parameter(Mandatory=$false, Position=3)]
    [Security.AccessControl.PropagationFlags]$PropagationFlags = 'NoPropagateInherit',
    [Parameter(Mandatory=$false, Position=4)]
    [Security.AccessControl.AccessControlType]$Type = 'Allow'
  )

  New-Object Security.AccessControl.FileSystemAccessRule(
    $Account, $Permissions, $InheritanceFlags, $PropagationFlags, $Type
  )
}

$domain = 'ESG.INTL'
$administrators = ([wmi]"Win32_Sid.Sid='S-1-5-32-544'").AccountName
$ADDomainUsers = "$domain\Domain Users"

$acl = Get-Acl $path

$administrators, "$domain\Domain Admins" | ForEach-Object {
  $acl.AddAccessRule((New-Ace $_ 'FullControl'))
}
$acl.AddAccessRule((New-Ace $ADNameRW 'Modify'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute'))
$acl.AddAccessRule((New-Ace $ADDomainUsers 'ReadAndExecute'))

$acl.SetAccessRuleProtection($true, $false)

Set-Acl $path $acl

Child Folder Creation:

    # Create initial ACE
    # Create the initial Object
    # Set domain - This could also be changed to prompt for domain if we decide it is needed
    # Define local Administrators group by Well Known SID
    # Set additional ACEs for the new AD File Share Groups
    # Set ACLs on the new folder
function New-Ace {
  [CmdletBinding()]
  Param(
    [Parameter(Mandatory=$true, Position=0)]
    [Security.Principal.NTAccount]$Account,
    [Parameter(Mandatory=$false, Position=1)]
    [Security.AccessControl.FileSystemRights]$Permissions = 'ReadAndExecute',
    [Parameter(Mandatory=$false, Position=2)]
    [Security.AccessControl.InheritanceFlags]$InheritanceFlags = 'ContainerInherit,ObjectInherit',
    [Parameter(Mandatory=$false, Position=3)]
    [Security.AccessControl.PropagationFlags]$PropagationFlags = 'NoPropagateInherit',
    [Parameter(Mandatory=$false, Position=4)]
    [Security.AccessControl.AccessControlType]$Type = 'Allow'
  )

  New-Object Security.AccessControl.FileSystemAccessRule(
    $Account, $Permissions, $InheritanceFlags, $PropagationFlags, $Type
  )
}

$acl = Get-Acl $path

$acl.AddAccessRule((New-Ace $ADNameRW 'Modify'))
$acl.AddAccessRule((New-Ace $ADNameRO 'ReadAndExecute'))


Set-Acl $path $acl

I found out what I was doing wrong; I misunderstood the propagation flags and how they apply to sub folders and files. Essentially I needed to set that to NONE on both scripts to work the way I wanted:

 [Security.AccessControl.PropagationFlags]$PropagationFlags = 'None',

This allowed both folders to inherit and apply permissions appropriately each level down.