How to Manage NTFS Permissions with PowerShell?

In order to handle entry to recordsdata or folders in Windows, a particular ACL (Access Control List) is assigned to an NTFS file system object (a file or a folder). The ACL of the thing defines accessible operations (permissions) person or teams can carry out with file system object. In most instances, Windows directors use the File Explorer graphic interface (file/folder properties -> Security tab) or console software to handle NTFS permissions on recordsdata or folders. In this text we’ll look on how to handle permissions on the NTFS objects utilizing the PowerShell cmdlets. You can use these instructions in your scripts or to automate the administration of NTFS entry permissions on Windows file servers and workstations.

manage ntfs folder permissions from the object properties

Get-Acl & Set-Acl: the Built-in PowerShell Cmdlets to Manage NTFS ACLs

In PowerShell v5 (Windows 10/Windows Server 2016), there are two separate built-in cmdlets to handle ACL (part of the Microsoft.PowerShell.Security module):

  • Get-Acl — permits to get present ACLs for the precise object on the NTFS file system;
  • Set-Acl – is used to add/change present object ACL.

We received’t contemplate these built-in cmdlets intimately, since their options normally are usually not sufficient to handle NTFS permissions in actual duties. Let’s dwell on some typical use instances.

To get the present proprietor of a folder (file) and the checklist of assigned NTFS permissions, run the command:

get-acl C:docs |fl

get-acl - powershell cmdlet to list current ntfs permissions

Path : Microsoft.PowerShell.CoreFileSystem::C:docs
Owner : CORPasmith
Group : CORPDomain Users
Access : PC-7L7JAK6root Allow ReadAndExecute, Synchronize
BUILTINAdministrators Allow FullControl
BUILTINUsers Allow ReadAndExecute, Synchronize
NT AUTHORITYAuthenticated Users Allow Modify, Synchronize
NT AUTHORITYAuthenticated Users Allow -536805376
Audit :
Sddl : O:S-1-5-21-2950832418-2342342341-4040681116-234234G:DUD:AI(A;OICI;0x1200a9;;;S-1-5-21-2601781602-2342342341-6543210895-1001)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
As you’ll be able to see, the present permissions are additionally displayed because the SDDl string — we briefly checked out this entry description format within the article .

You can show the lists of NTFS permissions solely in a clearer format:

(get-acl C:docs).entry

list ntfs access permissions with powershell

You can copy the present NTFS permissions from one NTFS folder (object) and apply them to one other one:

Get-Acl e:old_docs | Set-Acl C:docs

To do it, the account should be the proprietor of the thing and have Take Ownership privilege.

The major downside of utilizing Set-ACL is that the cmdlet is all the time attempting to change the useful resource proprietor, even for those who simply want to change the NTFS permissions. So to add the permissions on an object, you’ve got to use the next advanced script:

$path = "c:docs "
$person = "corpDSullivan"
$Permiss = "Read, ReadAndExecute, ListDirectory"
$InheritSettings = "Containerinherit, ObjectInherit"
$PropogationSettings = "None"
$RuleType = "Allow"
$acl = Get-Acl $path
$perm = $person, $Permiss, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -KindName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl | Set-Acl -Path $path

To take away the NTFS permission to entry a folder for a person or a bunch:
$path = "c:docs"
$acl = Get-Acl $path
$guidelines = $acl.Access | the place IsInherited -eq $false
$targetrule = $guidelines | the place IdentityReference -eq "corpDSullivan"
$acl | Set-Acl -Path $path

To disable folder inheritance from PowerShell:

$path = 'C:docs
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True) # the primary $True reveals if the folder is protected, the second $True specifies if the present NTFS permissions have to be copied
Set-Acl -Path $path -AclObject $acl

Managing File Permissions with the NTFSSecurity PowerShell Module

As I’ve already advised, the built-in PowerShell cmdlets to handle file system object isn’t very handy. To handle NTFS permissions on recordsdata and folders in Windows it’s best to higher use a separate module from the  PowerShell gallery – NTFSSecurity. You can set up the latest model of NTFSSecurity module (four.2.6, presently) utilizing the Install-Module -Name NTFSSecurity command or obtain it manually (the hyperlink). When putting in it manually, you simply want to extract the module archive to the C:WindowsSystem32WindowsPowerShellv1.zeroModulesNTFSSecurity (don’t forget to ).

Import the NTFSSecurity module to your PowerShell session:

Import-Module NTFSSecurity

Display the checklist of instructions accessible within the module (36 cmdlets):

Get-Command -Module NTFSSecurity

NTFSSecurity powershell module

List the present NTFS permissions of the folder:
Get-Item 'c:docs' | Get-NTFSAccess

As you’ll be able to see, the present permissions are proven in a extra handy kind.

Get-NTFSAccess permission list with powershell

To grant a person or a bunch full management permission on a particular folder, run this command:
Add-NTFSAccess -Path C:docs -Account 'CORPRShelby','BUILTINAdministrators' -AccessRights 'Fullcontrol' -PassThru

Tip. By default, the NTFSSecurity cmdlets don’t return any knowledge. Use the -PassThru parameter to make the command show new ACLs after it’s executed.

To grant permissions solely on the high folder degree and never to change permissions on the nested objects (folder solely), use this command:

Add-NTFSAccess c:docspublic -Account corpLMurkowski -AccessRights Modify -AppliesTo ThisFolderOnly

To take away the assigned NTFS permissions:

Remove-NTFSAccess -Path C:DOCS -Account 'corpLMurkowski' -AccessRights FullControl -PassThru

The subsequent command will take away the permissions for all nested objects within the folder for the given account (inherited permissions will likely be skipped):

Get-YoungsterItem -Path C:docs -Recurse | Get-NTFSAccess -Account 'corpLMurkowski' -ExcludeInherited |Remove-NTFSAccess -PassThru

With the next command, you may make the Administrator account an proprietor of all nested objects within the folder:

Get-YoungsterItem -Path C:docs -Recurse -Force | Set-NTFSOwner -Account 'Administrator'

To clear all permissions assigned to folder objects manually (inherited permissions won’t be eliminated):

Get-YoungsterItem -Path C:docs -Recurse -Force | Clear-NTFSAccess

To allow NTFS inheritance for all objects in a folder:

Get-YoungsterItem -Path C:docs -Recurse -Force | Enable-NTFSAccessInheritance

To show all permissions assigned manually besides the inherited ones:

dir C:docs | Get-NTFSAccess –ExcludeInherited

You can show the permissions assigned to the precise account (don’t confus it with the efficient permissions, we’ll talk about them later):

dir C:docs | Get-NTFSAccess -Account woshubRShelby

How to View NTFS Effective Permissions with PowerShell?

You can view the efficient NTFS permissions for a particular file or a folder utilizing the Get-EffectiveAccess cmdlet. Suppose, you’ve got granted entry to sure folder to a number of AD safety teams and also you need to know if the precise person account (or ) can entry the recordsdata folder. How are you able to do it with out that the person account belong to? This is the case when viewing efficient NTFS permissions may be very helpful. For instance, you want to view the efficient permissions on all nested directories in a folder for the area account confroom.

Get-YoungsterItem -Path c:docs -Recurse -Directory | Get-NTFSEffectiveAccess -Account 'corpconfroom’ | choose Account, AccessControlKind, AccessRights, FullName

Or you’ll be able to view the efficient permissions for a sure file:

Get-Item -Path 'C:docsannual_report2019.xlsx' | Get-NTFSEffectiveAccess -Account 'corpconfroom' | Format-List

Get-NTFSEffectiveAccess - viewing effective user permissions

The present efficient person permissions on the file system object are specified within the AccessRights subject.

Check Also

Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809

Due to disabling PPTP VPN help in iOS, one in all my shoppers determined to …

Leave a Reply

Your email address will not be published. Required fields are marked *