In order to manage access to files or folders in Windows, a special ACL (Access Control List) is assigned to an NTFS file system object (a file or a folder). The ACL of the object defines available operations (permissions) that a user or groups can perform with file system object. In most cases, Windows administrators use the File Explorer graphic interface (file/folder properties -> Security tab) or icacls console tool to manage NTFS permissions on files or folders. In this article we will look on how to manage permissions on the NTFS objects using the PowerShell cmdlets. You can use these commands in your scripts or to automate the management of NTFS access permissions on Windows file servers and workstations.
Get-Acl & Set-Acl: the Built-in PowerShell Cmdlets to Manage NTFS ACLs
In PowerShell v5 (Windows 10/Windows Server 2016), there are two separate built-in cmdlets to manage ACL (a part of the Microsoft.PowerShell.Security module):
- Get-Acl — allows to get current ACLs for the specific object on the NTFS file system;
- Set-Acl – is used to add/change current object ACL.
We won’t consider these built-in cmdlets in detail, since their features in most cases are not enough to manage NTFS permissions in real tasks. Let’s dwell on some typical use cases.
To get the current owner of a folder (file) and the list of assigned NTFS permissions, run the command:
get-acl C:\docs\ |fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\docs\ Owner : CORP\asmith Group : CORP\Domain Users Access : PC-7L7JAK6\root Allow ReadAndExecute, Synchronize BUILTIN\Administrators Allow FullControl NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Users Allow ReadAndExecute, Synchronize NT AUTHORITY\Authenticated Users Allow Modify, Synchronize NT AUTHORITY\Authenticated Users Allow -536805376 Audit : Sddl : O:S-1-5-21-2950832418-2342342341-4040681116-234234G:DUD:AI(A;OICI;0x1200a9;;;S-1-5-21-2601781602-2342342341-6543210895-1001)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
You can display the lists of NTFS permissions only in a clearer format:
(get-acl C:\docs\).access
You can copy the current NTFS permissions from one NTFS folder (object) and apply them to another one:
Get-Acl e:\old_docs | Set-Acl C:\docs
The main problem of using Set-ACL is that the cmdlet is always trying to change the resource owner, even if you just need to change the NTFS permissions. So to add the permissions on an object, you have to use the following complex script:
$path = "c:\docs "
$user = "corp\DSullivan"
$Permiss = "Read, ReadAndExecute, ListDirectory"
$InheritSettings = "Containerinherit, ObjectInherit"
$PropogationSettings = "None"
$RuleType = "Allow"
$acl = Get-Acl $path
$perm = $user, $Permiss, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
To remove the NTFS permission to access a folder for a user or a group:
$path = "c:\docs"
$acl = Get-Acl $path
$rules = $acl.Access | where IsInherited -eq $false
$targetrule = $rules | where IdentityReference -eq "corp\DSullivan"
$acl.RemoveAccessRule($targetrule)
$acl | Set-Acl -Path $path
To disable folder inheritance from PowerShell:
$path = 'C:\docs
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True) # the first $True shows if the folder is protected, the second $True specifies if the current NTFS permissions have to be copied
Set-Acl -Path $path -AclObject $acl
Managing File Permissions with the NTFSSecurity PowerShell Module
As I have already told, the built-in PowerShell cmdlets to manage file system object is not very convenient. To manage NTFS permissions on files and folders in Windows you should better use a separate module from the PowerShell gallery – NTFSSecurity. You can install the latest version of NTFSSecurity module (4.2.6, currently) using the Install-Module -Name NTFSSecurity command or download it manually (the link). When installing it manually, you just need to extract the module archive to the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NTFSSecurity (do not forget to unblock the downloaded file).
Import the NTFSSecurity module to your PowerShell session:
Import-Module NTFSSecurity
Display the list of commands available in the module (36 cmdlets):
Get-Command -Module NTFSSecurity
List the current NTFS permissions of the folder:
Get-Item 'c:\docs' | Get-NTFSAccess
As you can see, the current permissions are shown in a more convenient form.
To grant a user or a group full control permission on a specific folder, run this command:
Add-NTFSAccess -Path C:\docs -Account 'CORP\RShelby','BUILTIN\Administrators' -AccessRights 'Fullcontrol' -PassThru
To grant permissions only at the top folder level and not to change permissions on the nested objects (folder only), use this command:
Add-NTFSAccess c:\docs\public -Account corp\LMurkowski -AccessRights Modify -AppliesTo ThisFolderOnly
To remove the assigned NTFS permissions:
Remove-NTFSAccess -Path C:\DOCS -Account 'corp\LMurkowski' -AccessRights FullControl -PassThru
The next command will remove the permissions for all nested objects in the folder for the given account (inherited permissions will be skipped):
Get-ChildItem -Path C:\docs -Recurse | Get-NTFSAccess -Account 'corp\LMurkowski' -ExcludeInherited |Remove-NTFSAccess -PassThru
With the following command, you can make the Administrator account an owner of all nested objects in the folder:
Get-ChildItem -Path C:\docs -Recurse -Force | Set-NTFSOwner -Account 'Administrator'
To clear all permissions assigned to folder objects manually (inherited permissions will not be removed):
Get-ChildItem -Path C:\docs -Recurse -Force | Clear-NTFSAccess
To enable NTFS inheritance for all objects in a folder:
Get-ChildItem -Path C:\docs -Recurse -Force | Enable-NTFSAccessInheritance
To display all permissions assigned manually except the inherited ones:
dir C:\docs | Get-NTFSAccess –ExcludeInherited
You can display the permissions assigned to the specific account (don’t confus it with the effective permissions, we’ll discuss them later):
dir C:\docs | Get-NTFSAccess -Account woshub\RShelby
How to View NTFS Effective Permissions with PowerShell?
You can view the effective NTFS permissions for a specific file or a folder using the Get-EffectiveAccess cmdlet. Suppose, you have granted access to certain folder to several AD security groups and you want to know if the specific user account (or SID) can access the files folder. How can you do it without listing all the members of the AD groups that the user account belong to? This is the case when viewing effective NTFS permissions is very useful. For example, you need to view the effective permissions on all nested directories in a folder for the domain account confroom.
Get-ChildItem -Path c:\docs -Recurse -Directory | Get-NTFSEffectiveAccess -Account 'corp\confroom’ | select Account, AccessControlType, AccessRights, FullName
Or you can view the effective permissions for a certain file:
Get-Item -Path 'C:\docs\annual_report2019.xlsx' | Get-NTFSEffectiveAccess -Account 'corp\confroom' | Format-List
The current effective user permissions on the file system object are specified in the AccessRights field.
