How to Manage NTFS Permissions with PowerShell

By July 1, 2020No Comments

In order to manage access to files or folders in Windows, a special ACL (Access Control List) is assigned to an NTFS file system object (a file or a folder). The ACL of the object defines available operations (permissions) that a user or groups can perform with file system object. In most cases, Windows administrators use the File Explorer graphic interface (file/folder properties -> Security tab) or icacls console tool to manage NTFS permissions on files or folders. In this post we will look on how to manage permissions on the NTFS objects using the PowerShell cmdlets. You can use these commands in your scripts or to automate the management of NTFS access permissions on Windows file servers and workstations.

manage ntfs folder permissions from the object properties

Get-Acl & Set-Acl: the Built-in PowerShell Cmdlets to Manage NTFS ACLs

In PowerShell v5 (Windows 10/Windows Server 2016), there are two separate built-in cmdlets to manage ACL (a part of the Microsoft.PowerShell.Security module):

  • Get-Acl — allows to get current ACLs for the specific object on the NTFS file system;
  • Set-Acl – is used to add/change current object ACL.

We won’t look at these built-in cmdlets in detail, since their features in most cases are not enough to manage NTFS permissions in real tasks. Let’s dwell on some typical use cases.

To get the current owner of a folder (file) and the list of assigned NTFS permissions, run the command:

get-acl C:\docs\ |fl

get-acl - powershell cmdlet to list current ntfs permissions
Path : Microsoft.PowerShell.Core\FileSystem::C:\docs\
Owner : CORP\asmith
Group : CORP\Domain Users
Access : PC-7L7JAK6\root Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow Modify, Synchronize
NT AUTHORITY\Authenticated Users Allow -536805376
Audit :
Sddl : O:S-1-5-21-2950832418-2342342341-4040681116-234234G:DUD:AI(A;OICI;0x1200a9;;;S-1-5-21-2601781602-2342342341-6543210895-1001)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)

As you can see, the current permissions are also displayed as the SDDl string.

You can display the lists of NTFS permissions only in a clearer format:

(get-acl C:\docs\).access

list ntfs access permissions with powershell

You can copy the current NTFS permissions from one NTFS folder (object) and apply them to another one:

Get-Acl e:\old_docs | Set-Acl C:\docsTo do it, the account must be the owner of the object and have Take Ownership privilege.

The main problem of using Set-ACL is that the cmdlet is always trying to change the resource owner, even if you just need to change the NTFS permissions. So to add the permissions on an object, you have to use the following complex script:

$path = "c:\docs "
$user = "contoso\john.smith"
$Permiss = "Read, ReadAndExecute, ListDirectory"
$InheritSettings = "Containerinherit, ObjectInherit"
$PropogationSettings = "None"
$RuleType = "Allow"
$acl = Get-Acl $path
$perm = $user, $Permiss, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl | Set-Acl -Path $path

To remove the NTFS permission to access a folder for a user or a group:
$path = "c:\docs"
$acl = Get-Acl $path
$rules = $acl.Access | where IsInherited -eq $false
$targetrule = $rules | where IdentityReference -eq "contoso\john.smith"
$acl | Set-Acl -Path $path

To disable folder inheritance from PowerShell:

$path = 'C:\docs
$acl = Get-ACL -Path $path
$acl.SetAccessRuleProtection($True, $True) # the first $True shows if the folder is protected, the second $True specifies if the current NTFS permissions have to be copied
Set-Acl -Path $path -AclObject $acl
Also, using the Get-Acl and Set-Acl you can manage NTFS audit settings for the objects.

Managing File Permissions with the NTFSSecurity PowerShell Module

As I have already mentioned, the built-in PowerShell cmdlets to manage file system object is not very convenient. To manage NTFS permissions on files and folders in Windows you should better use a separate module from the  PowerShell gallery – NTFSSecurity. You can install the latest version of NTFSSecurity module (4.2.6, currently) using the Install-Module -Name NTFSSecurity command or download it manually here. When installing it manually, you just need to extract the module archive to the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NTFSSecurity.

Import the NTFSSecurity module to your PowerShell session:

Import-Module NTFSSecurity

Display the list of commands available in the module (36 cmdlets):

Get-Command -Module NTFSSecurity

NTFSSecurity powershell module

List the current NTFS permissions of the folder:
Get-Item 'c:\docs' | Get-NTFSAccess

As you can see, the current permissions are shown in a more convenient form.

Get-NTFSAccess permission list with powershell

To grant a user or a group full control permission on a specific folder, run this command:
Add-NTFSAccess -Path C:\docs -Account 'CORP\RShelby','BUILTIN\Administrators' -AccessRights 'Fullcontrol' -PassThru
Tip. By default, the NTFSSecurity cmdlets do not return any data. Use the -PassThru parameter to make the command display new ACLs after it is executed.

To grant permissions only at the top folder level and not to change permissions on the nested objects (folder only), use this command:

Add-NTFSAccess c:\docs\public -Account contoso\jane.doe -AccessRights Modify -AppliesTo ThisFolderOnly

To remove the assigned NTFS permissions:

Remove-NTFSAccess -Path C:\DOCS -Account 'contoso\jane.doe' -AccessRights FullControl -PassThru

The next command will remove the permissions for all nested objects in the folder for the given account (inherited permissions will be skipped):

Get-ChildItem -Path C:\docs -Recurse | Get-NTFSAccess -Account 'contoso\jane.doe' -ExcludeInherited |Remove-NTFSAccess -PassThru

With the following command, you can make the Administrator account an owner of all nested objects in the folder:

Get-ChildItem -Path C:\docs -Recurse -Force | Set-NTFSOwner -Account 'Administrator'

To clear all permissions assigned to folder objects manually (inherited permissions will not be removed):

Get-ChildItem -Path C:\docs -Recurse -Force | Clear-NTFSAccess

To enable NTFS inheritance for all objects in a folder:

Get-ChildItem -Path C:\docs -Recurse -Force | Enable-NTFSAccessInheritance

To display all permissions assigned manually except the inherited ones:

dir C:\docs | Get-NTFSAccess –ExcludeInherited

You can display the permissions assigned to the specific account (don’t confuse it with the effective permissions, we’ll discuss them later):

dir C:\docs | Get-NTFSAccess -Account contoso\john.smith

How to View NTFS Effective Permissions with PowerShell?

You can view the effective NTFS permissions for a specific file or a folder using the Get-EffectiveAccess cmdlet. Suppose, you have granted access to certain folder to several AD security groups and you want to know if the specific user account (or SID) can access the files folder. How can you do it without listing all the members of the AD groups that the user account belong to? This is the case when viewing effective NTFS permissions is very useful. For example, you need to view the effective permissions on all nested directories in a folder for the domain account jane.doe.

Get-ChildItem -Path c:\docs -Recurse -Directory | Get-NTFSEffectiveAccess -Account 'contoso\jane.doe’ | select Account, AccessControlType, AccessRights, FullName

Or you can view the effective permissions for a certain file:

Get-Item -Path 'C:\docs\annual_report2019.xlsx' | Get-NTFSEffectiveAccess -Account 'contoso\jane.doe' | Format-List

Get-NTFSEffectiveAccess - viewing effective user permissions

The current effective user permissions on the file system object are specified in the AccessRights field.

Leave a Reply