Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / How to Manage NTFS Permissions with PowerShell?

January 17, 2020 PowerShellWindows 10Windows Server 2016

How to Manage NTFS Permissions with PowerShell?

In order to manage access to files or folders in Windows, a special ACL (Access Control List) is assigned to an NTFS file system object (a file or a folder). The ACL of the object defines available operations (permissions) that a user or groups can perform with file system object. In most cases, Windows administrators use the File Explorer graphic interface (file/folder properties -> Security tab) or icacls console tool to manage NTFS permissions on files or folders. In this article we will look on how to manage permissions on the NTFS objects using the PowerShell cmdlets. You can use these commands in your scripts or to automate the management of NTFS access permissions on Windows file servers and workstations.

manage ntfs folder permissions from the object properties

Contents:
  • Get-Acl & Set-Acl: the Built-in PowerShell Cmdlets to Manage NTFS ACLs
  • Managing File Permissions with the NTFSSecurity PowerShell Module
  • How to View NTFS Effective Permissions with PowerShell?

Get-Acl & Set-Acl: the Built-in PowerShell Cmdlets to Manage NTFS ACLs

In PowerShell v5 (Windows 10/Windows Server 2016), there are two separate built-in cmdlets to manage ACL (a part of the Microsoft.PowerShell.Security module):

  • Get-Acl — allows to get current ACLs for the specific object on the NTFS file system;
  • Set-Acl – is used to add/change current object ACL.

We won’t consider these built-in cmdlets in detail, since their features in most cases are not enough to manage NTFS permissions in real tasks. Let’s dwell on some typical use cases.

To get the current owner of a folder (file) and the list of assigned NTFS permissions, run the command:

get-acl C:\docs\ |fl

get-acl - powershell cmdlet to list current ntfs permissions

Path : Microsoft.PowerShell.Core\FileSystem::C:\docs\
Owner : CORP\asmith
Group : CORP\Domain Users
Access : PC-7L7JAK6\root Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow Modify, Synchronize
NT AUTHORITY\Authenticated Users Allow -536805376
Audit :
Sddl : O:S-1-5-21-2950832418-2342342341-4040681116-234234G:DUD:AI(A;OICI;0x1200a9;;;S-1-5-21-2601781602-2342342341-6543210895-1001)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
As you can see, the current permissions are also displayed as the SDDl string — we briefly looked at this access description format in the article Setting Windows Service Permissions.

You can display the lists of NTFS permissions only in a clearer format:

(get-acl C:\docs\).access

list ntfs access permissions with powershell

You can copy the current NTFS permissions from one NTFS folder (object) and apply them to another one:

Get-Acl e:\old_docs | Set-Acl C:\docs

To do it, the account must be the owner of the object and have Take Ownership privilege.

The main problem of using Set-ACL is that the cmdlet is always trying to change the resource owner, even if you just need to change the NTFS permissions. So to add the permissions on an object, you have to use the following complex script:

$path = "c:\docs "
$user = "corp\DSullivan"
$Permiss = "Read, ReadAndExecute, ListDirectory"
$InheritSettings = "Containerinherit, ObjectInherit"
$PropogationSettings = "None"
$RuleType = "Allow"
$acl = Get-Acl $path
$perm = $user, $Permiss, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path

To remove the NTFS permission to access a folder for a user or a group:
$path = "c:\docs"
$acl = Get-Acl $path
$rules = $acl.Access | where IsInherited -eq $false
$targetrule = $rules | where IdentityReference -eq "corp\DSullivan"
$acl.RemoveAccessRule($targetrule)
$acl | Set-Acl -Path $path

To disable folder inheritance from PowerShell:

$path = 'C:\docs
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True) # the first $True shows if the folder is protected, the second $True specifies if the current NTFS permissions have to be copied
Set-Acl -Path $path -AclObject $acl

Also, using the Get-Acl and Set-Acl you can manage NTFS audit settings for the objects (see the articles Tracking down who removed files from shared folder) or about current OU Delegated permissions in AD.

Managing File Permissions with the NTFSSecurity PowerShell Module

As I have already told, the built-in PowerShell cmdlets to manage file system object is not very convenient. To manage NTFS permissions on files and folders in Windows you should better use a separate module from the  PowerShell gallery – NTFSSecurity. You can install the latest version of NTFSSecurity module (4.2.6, currently) using the Install-Module -Name NTFSSecurity command or download it manually (the link). When installing it manually, you just need to extract the module archive to the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NTFSSecurity (do not forget to unblock the downloaded file).

Import the NTFSSecurity module to your PowerShell session:

Import-Module NTFSSecurity

Display the list of commands available in the module (36 cmdlets):

Get-Command -Module NTFSSecurity

NTFSSecurity powershell module

List the current NTFS permissions of the folder:
Get-Item 'c:\docs' | Get-NTFSAccess

As you can see, the current permissions are shown in a more convenient form.

Get-NTFSAccess permission list with powershell

To grant a user or a group full control permission on a specific folder, run this command:
Add-NTFSAccess -Path C:\docs -Account 'CORP\RShelby','BUILTIN\Administrators' -AccessRights 'Fullcontrol' -PassThru

Tip. By default, the NTFSSecurity cmdlets do not return any data. Use the -PassThru parameter to make the command display new ACLs after it is executed.

To grant permissions only at the top folder level and not to change permissions on the nested objects (folder only), use this command:

Add-NTFSAccess c:\docs\public -Account corp\LMurkowski -AccessRights Modify -AppliesTo ThisFolderOnly

To remove the assigned NTFS permissions:

Remove-NTFSAccess -Path C:\DOCS -Account 'corp\LMurkowski' -AccessRights FullControl -PassThru

The next command will remove the permissions for all nested objects in the folder for the given account (inherited permissions will be skipped):

Get-ChildItem -Path C:\docs -Recurse | Get-NTFSAccess -Account 'corp\LMurkowski' -ExcludeInherited |Remove-NTFSAccess -PassThru

With the following command, you can make the Administrator account an owner of all nested objects in the folder:

Get-ChildItem -Path C:\docs -Recurse -Force | Set-NTFSOwner -Account 'Administrator'

To clear all permissions assigned to folder objects manually (inherited permissions will not be removed):

Get-ChildItem -Path C:\docs -Recurse -Force | Clear-NTFSAccess

To enable NTFS inheritance for all objects in a folder:

Get-ChildItem -Path C:\docs -Recurse -Force | Enable-NTFSAccessInheritance

To display all permissions assigned manually except the inherited ones:

dir C:\docs | Get-NTFSAccess –ExcludeInherited

You can display the permissions assigned to the specific account (don’t confus it with the effective permissions, we’ll discuss them later):

dir C:\docs | Get-NTFSAccess -Account woshub\RShelby

How to View NTFS Effective Permissions with PowerShell?

You can view the effective NTFS permissions for a specific file or a folder using the Get-EffectiveAccess cmdlet. Suppose, you have granted access to certain folder to several AD security groups and you want to know if the specific user account (or SID) can access the files folder. How can you do it without listing all the members of the AD groups that the user account belong to? This is the case when viewing effective NTFS permissions is very useful. For example, you need to view the effective permissions on all nested directories in a folder for the domain account confroom.

Get-ChildItem -Path c:\docs -Recurse -Directory | Get-NTFSEffectiveAccess -Account 'corp\confroom’ | select Account, AccessControlType, AccessRights, FullName

Or you can view the effective permissions for a certain file:

Get-Item -Path 'C:\docs\annual_report2019.xlsx' | Get-NTFSEffectiveAccess -Account 'corp\confroom' | Format-List

Get-NTFSEffectiveAccess - viewing effective user permissions

The current effective user permissions on the file system object are specified in the AccessRights field.

1 comment
2
Facebook Twitter Google + Pinterest
previous post
How to Check If a PowerShell Script Is Run As Administrator?
next post
DNS Resolution via VPN Not Working on Windows 10

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

1 comment

serg November 9, 2022 - 5:57 am

Change owner of files with Powershell

Let our target be in the $target variable. Let the new owner of our file be the PC\user account.

Let’s first create an acl variable:

$acl = Get-Acl -Path $target

Next, let’s create an account object.

$account = New-Object-TypeName System.Security.Principal.NTAccount -ArgumentList “PC\user”

Then let’s change the Owner inside the $acl object.

$acl.SetOwner($account)

Then let’s reflect it to the file system with Set-Acl.

Set-Acl -Path $target -AclObject $acl

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Installing RSAT Administration Tools on Windows 10 and 11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Hide Installed Programs in Windows 10 and 11?
  • Managing Printers and Drivers with PowerShell in Windows 10 / Server 2016
  • How to Create a UEFI Bootable USB Drive to Install Windows 10 or 7?
  • PowerShell: Get Folder Sizes on Disk in Windows
  • Deploy PowerShell Active Directory Module without Installing RSAT
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top