In order to handle entry to recordsdata or folders in Windows, a particular ACL (Access Control List) is assigned to an NTFS file system object (a file or a folder). The ACL of the thing defines accessible operations (permissions) person or teams can carry out with file system object. In most instances, Windows directors use the File Explorer graphic interface (file/folder properties -> Security tab) or console software to handle NTFS permissions on recordsdata or folders. In this text we’ll look on how to handle permissions on the NTFS objects utilizing the PowerShell cmdlets. You can use these instructions in your scripts or to automate the administration of NTFS entry permissions on Windows file servers and workstations.
Get-Acl & Set-Acl: the Built-in PowerShell Cmdlets to Manage NTFS ACLs
In PowerShell v5 (Windows 10/Windows Server 2016), there are two separate built-in cmdlets to handle ACL (part of the Microsoft.PowerShell.Security module):
- Get-Acl — permits to get present ACLs for the precise object on the NTFS file system;
- Set-Acl – is used to add/change present object ACL.
We received’t contemplate these built-in cmdlets intimately, since their options normally are usually not sufficient to handle NTFS permissions in actual duties. Let’s dwell on some typical use instances.
To get the present proprietor of a folder (file) and the checklist of assigned NTFS permissions, run the command:
get-acl C:docs |fl
Path : Microsoft.PowerShell.CoreFileSystem::C:docs Owner : CORPasmith Group : CORPDomain Users Access : PC-7L7JAK6root Allow ReadAndExecute, Synchronize BUILTINAdministrators Allow FullControl NT AUTHORITYSYSTEM Allow FullControl BUILTINUsers Allow ReadAndExecute, Synchronize NT AUTHORITYAuthenticated Users Allow Modify, Synchronize NT AUTHORITYAuthenticated Users Allow -536805376 Audit : Sddl : O:S-1-5-21-2950832418-2342342341-4040681116-234234G:DUD:AI(A;OICI;0x1200a9;;;S-1-5-21-2601781602-2342342341-6543210895-1001)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
You can show the lists of NTFS permissions solely in a clearer format:
You can copy the present NTFS permissions from one NTFS folder (object) and apply them to one other one:
Get-Acl e:old_docs | Set-Acl C:docs
To do it, the account should be the proprietor of the thing and have Take Ownership privilege.
The major downside of utilizing Set-ACL is that the cmdlet is all the time attempting to change the useful resource proprietor, even for those who simply want to change the NTFS permissions. So to add the permissions on an object, you’ve got to use the next advanced script:
$path = "c:docs "
$person = "corpDSullivan"
$Permiss = "Read, ReadAndExecute, ListDirectory"
$InheritSettings = "Containerinherit, ObjectInherit"
$PropogationSettings = "None"
$RuleType = "Allow"
$acl = Get-Acl $path
$perm = $person, $Permiss, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -KindName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl | Set-Acl -Path $path
To take away the NTFS permission to entry a folder for a person or a bunch:
$path = "c:docs"
$acl = Get-Acl $path
$guidelines = $acl.Access | the place IsInherited -eq $false
$targetrule = $guidelines | the place IdentityReference -eq "corpDSullivan"
$acl | Set-Acl -Path $path
To disable folder inheritance from PowerShell:
$path = 'C:docs
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True) # the primary $True reveals if the folder is protected, the second $True specifies if the present NTFS permissions have to be copied
Set-Acl -Path $path -AclObject $acl
Managing File Permissions with the NTFSSecurity PowerShell Module
As I’ve already advised, the built-in PowerShell cmdlets to handle file system object isn’t very handy. To handle NTFS permissions on recordsdata and folders in Windows it’s best to higher use a separate module from the PowerShell gallery – NTFSSecurity. You can set up the latest model of NTFSSecurity module (four.2.6, presently) utilizing the
Install-Module -Name NTFSSecurity command or obtain it manually (the hyperlink). When putting in it manually, you simply want to extract the module archive to the
C:WindowsSystem32WindowsPowerShellv1.zeroModulesNTFSSecurity (don’t forget to ).
Import the NTFSSecurity module to your PowerShell session:
Display the checklist of instructions accessible within the module (36 cmdlets):
Get-Command -Module NTFSSecurity
List the present NTFS permissions of the folder:
Get-Item 'c:docs' | Get-NTFSAccess
As you’ll be able to see, the present permissions are proven in a extra handy kind.
To grant a person or a bunch full management permission on a particular folder, run this command:
Add-NTFSAccess -Path C:docs -Account 'CORPRShelby','BUILTINAdministrators' -AccessRights 'Fullcontrol' -PassThru
Tip. By default, the NTFSSecurity cmdlets don’t return any knowledge. Use the -PassThru parameter to make the command show new ACLs after it’s executed.
To grant permissions solely on the high folder degree and never to change permissions on the nested objects (folder solely), use this command:
Add-NTFSAccess c:docspublic -Account corpLMurkowski -AccessRights Modify -AppliesTo ThisFolderOnly
To take away the assigned NTFS permissions:
Remove-NTFSAccess -Path C:DOCS -Account 'corpLMurkowski' -AccessRights FullControl -PassThru
The subsequent command will take away the permissions for all nested objects within the folder for the given account (inherited permissions will likely be skipped):
Get-YoungsterItem -Path C:docs -Recurse | Get-NTFSAccess -Account 'corpLMurkowski' -ExcludeInherited |Remove-NTFSAccess -PassThru
With the next command, you may make the Administrator account an proprietor of all nested objects within the folder:
Get-YoungsterItem -Path C:docs -Recurse -Force | Set-NTFSOwner -Account 'Administrator'
To clear all permissions assigned to folder objects manually (inherited permissions won’t be eliminated):
Get-YoungsterItem -Path C:docs -Recurse -Force | Clear-NTFSAccess
To allow NTFS inheritance for all objects in a folder:
Get-YoungsterItem -Path C:docs -Recurse -Force | Enable-NTFSAccessInheritance
To show all permissions assigned manually besides the inherited ones:
dir C:docs | Get-NTFSAccess –ExcludeInherited
You can show the permissions assigned to the precise account (don’t confus it with the efficient permissions, we’ll talk about them later):
dir C:docs | Get-NTFSAccess -Account woshubRShelby
How to View NTFS Effective Permissions with PowerShell?
You can view the efficient NTFS permissions for a particular file or a folder utilizing the
Get-EffectiveAccess cmdlet. Suppose, you’ve got granted entry to sure folder to a number of AD safety teams and also you need to know if the precise person account (or ) can entry the recordsdata folder. How are you able to do it with out that the person account belong to? This is the case when viewing efficient NTFS permissions may be very helpful. For instance, you want to view the efficient permissions on all nested directories in a folder for the area account confroom.
Get-YoungsterItem -Path c:docs -Recurse -Directory | Get-NTFSEffectiveAccess -Account 'corpconfroom’ | choose Account, AccessControlKind, AccessRights, FullName
Or you’ll be able to view the efficient permissions for a sure file:
Get-Item -Path 'C:docsannual_report2019.xlsx' | Get-NTFSEffectiveAccess -Account 'corpconfroom' | Format-List
The present efficient person permissions on the file system object are specified within the AccessRights subject.