Get-Acl/Set-Acl can be a royal pain unless you're the owner of the object you're trying to change permissions on -- even if you're an Administrator. If you want to change an ACL on an object you don't own you have to have the SeBackupPrivilege enabled for your identity/account. The only easy way I know of to modify system privileges is install PowerShell Community Extensions and use Get/Set-Privilege. I really don't understand why this limitation exists but it does.
With that said, using icacls works very well under most conditions. There is a bug if you're setting permissions on a directory accessed through a share with Access Based Enumeration enabled. Everyone does this right? ;)
Touching a directory underneath an ABE controlled share with icacls causes the directory to disappear even if you still have permissions to that directory. If you use the Windows Explorer ACL editor to read and (re)apply the permissions set with icacls the directory is visible again.
After much head scratching it was determined that icacls was doing something to the synchronize bit. Without synchronize ABE causes the directory to be invisible. The simplest workaround would be to not use ABE but in our environment disabling ABE is not an option.
Another solution is use SetACL.exe which you can download from SourceForge. It has a very complicated syntax, imho, but is really powerful. It's also available as a OCX so you can script it via PowerShell.