- Install Ansible on Windows - Thu, Jul 20 2023
- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
Unfortunately, even the Windows PowerShell v5 April 2015 preview contains only two cmdlets related to access control lists (ACLs), and they are pretty weak:
In today’s exercise, we’ll use Raimund Andrée’s File System Security PowerShell module to simplify NTFS permissions management. By using Windows PowerShell remoting and Raimund’s module, you can automate what is otherwise tedious, time-consuming manual work.
Begin by downloading Raimund’s module from the TechNet Script Center and unpacking the ZIP file to a folder named NTFSSecurity in your env:$PSModulePath location. By default, your PowerShell module path is:
C:\ProgrHam Files\WindowsPowerShell\Modules
Here’s a picture from my Windows 8.1 administrative workstation:
Make sure your PowerShell modules are stored in the proper location.
You’ll note that Raimund’s NTFSSecurity project is quite a bit more complex than other custom modules you might have seen, including several dynamic link libraries (DLLs) and such. More to the point, Raimund leverages the AlphaFS library to give him easier access to the .NET Framework’s NTFS access features.
The final preliminary ingredient we need here is a folder and some files to play with. I created a folder named dox in the root of drive C: and populated the folder with a subfolder and a bunch of dummy files. Look here:
We need some files to play with.
Okay—no more File Explorer. From now on, everything we do will be from an elevated Windows PowerShell console session, with a bit of Out-GridView thrown in for good measure. Let’s begin!
Viewing NTFS permissions
First, let’s verify that PowerShell module auto-loading properly recognizes our new NTFSSecurity module. Use Get-Command to auto-import the NTFSSecurity module and enumerate its commands:
Get-Command –Module NTFSSecurity
On an NTFS volume, folders and files each contain a discretionary access control list (DACL) that, in turn, consists of one or more access control entries (ACEs). These ACEs define the group, user, and computer accounts that are explicitly granted or denied access to those files and folders.
Let’s start by enumerating the NTFS ACEs for C:\dox and output the results in a grid view:
Get-NTFSAccess –Path 'C:\Dox' | Out-GridView –Title 'C:\Dox Permissions'
This is a view of the ACEs of a directory.
We can do the same thing for individual files:
Get-NTFSAccess -Path 'C:\dox\cbt.png' | Select-Object –Property Account, AccessRights Account AccessRights ------- ------------ BUILTIN\Administrators FullControl NT AUTHORITY\SYSTEM FullControl BUILTIN\Users ReadAndExecute, Synchronize NT AUTHORITY\Authenticated Users Modify, Synchronize
To list permissions for all folder contents recursively, we can combine Get-ChildItem, Get-NTFSAccess, and the PowerShell pipeline:
Get-ChildItem –Path 'C:\dox' –Recurse | Get-NTFSAccess
Modifying NTFS permissions
Let’s say that we need to grant members of the Marketing group and a user named jrose read-only permissions to all contents of the dox folder. Notice that the Add-NTFSAccess cmdlet accepts a comma-separated list of security IDs (SIDs) or account names:
Add-NTFSAccess –Path 'C:\dox' –Account 'win81box\Marketing', 'win81box\jrose' –AccessRights Read
We can add the –AppliesTo ThisFolderOnly parameter and value set if we need to block NTFS permissions inheritance on the folder contents. In fact, take a look at the following Windows PowerShell ISE screenshot; I want to show you the enumeration contents for both –AccessRights and –AppliesTo:
The PowerShell ISE makes it easier to visualize enumerations.
Now we’ll verify that the C:\dox ACL took our update:
Get-NTFSAccess -Path 'C:\dox' | Where-Object -FilterScript { $_.AccessRights -eq 'Read' } | Format-Table -AutoSize Path: C:\dox (Inheritance enabled)
Account Access Rights Applies to Type IsInherited
------- ------------- ---------- ---- -----------
WIN81BOX\Marketing Read ThisFolderSubfoldersAndFiles Allow False
WIN81BOX\jrose Read ThisFolderSubfoldersAndFiles Allow FalseDetermining effective permissions
Were you as happy as I was when the Microsoft Windows Server product team gave us effective permissions in Windows Server 2008 R2? What’s even better is that we can use Raimund’s NTFSSecurity module to tap into that time-saving functionality.
As an example, imagine that we need to see jrose’s effective permissions on the file c:\dox\HTML\about.html. Let’s use Get-EffectiveAccess to get ’er done!
Get-Item -Path 'C:\dox\HTML\about.html' | Get-EffectiveAccess -Account 'win81box\jrose' | Format-List Name : about.html FullName : C:\dox\HTML\about.html InheritanceEnabled : False InheritedFrom : AccessControlType : Allow AccessRights : Modify, Synchronize Account : WIN81BOX\jrose InheritanceFlags : None IsInherited : False PropagationFlags : None
Now don’t freak out. You probably wonder, “Why does jrose have Modify permission when we set Read at the parent folder level?” Remember that the original ACL contained a Modify permissions entry for Authenticated Users; NTFS permissions are cumulative. Thus, to resolve this issue, we’ll need to either modify or remove Authenticated Users or add Deny permissions to jrose (that’s not considered best practice because it can produce troubleshooting problems farther down the road).
Also, the Format-List output I gave you introduces other questions, such as “Why is the Inherited From property blank?” The answer to this question is that the NTFSSecurity module is an open-source community project. As such, you’re bound to find some bugs and other inconsistent behavior. The good news is that you are free to fork the project and make these adjustments yourself!
Removing NTFS permissions
To finish up, let’s remove those two new entries from our c:\dox ACL:
Remove-NTFSAccess -Path 'C:\dox' -Account win81box\marketing, win81box\jrose -AccessRights Read -PassThru
The –PassThru switch parameter is useful when you want to see the results of your pipeline when such output is normally suppressed.
I can’t get the module to work: This runs successfully : Get-Command –Module NTFSSecurity
But this doesn’t: Get-NTFSAccess -Path $Fdrs | Out-GridView –Title ‘C:\Dox Permissions’ —My $Fdrs object points to my targeted folder.
The error is: “Get-NTFSAccess : The term ‘Get-NTFSAccess’ is not recognized as the name of a cmdlet,…etc.”
I unzipped the module files to C:\Program Files\WindowsPowerShell\Modules\NTFSSecurities and my $Env:PSModulePath points to the same folder, also as evidenced by the successful running of the first command, (Get-Command…). Any suggestions to make it work?
Thanks.
Hi
These command are super awesome. It is exactly what I have been looking for but the issue is I am not allowed to import module on the server. is there any way I can run it remotely??
Thanks,
Raj
Thank you so much for this.
I have been hunting for a decent and logical way to grant Access.
I do have one question… How do I grant Permissions to “HomeGroup”?
Hi RaveWolf. HomeGroup is a way to share resources in a non-business (home) environment. In this article I focused on resource sharing in the enterprise. See this Microsoft Help article for guidance on setting up HomeGroup sharing: http://windows.microsoft.com/en-us/windows/homegroup-help#homegroup-start-to-finish=windows-81&v1h=win81tab1&v2h=win7tab1 Hope this helps, Tim
Thanks Tim,
I already have a HomeGroup that is working fine…
I have some files that get put into a specific folder via a script. The problem that I’m having is that every time the Folder or Files get added to this folder, they’re Automatically Locked and the HomeGroup cannot see them. I need A script that can give HomeGroup permissions to these SubFolders as they’re not inheriting permissions from this Folder..
Thanks for the Prompt response.
Very helpful, thank you!
I too need a command to check the subfolders under the root. With the “Get-NTFSAccess -path” command I can only seem to audit a single folder at a time.
@DrewAdmin You can pipe the results from a Get-ChildItem (or NTFSSecurity module’s Get-ChildItem2) to Get-NTFSAccess. For example:
to Get-NTFSAccess for all folders in C:\Whatever\Folder.
Man… I’ve got to be honest… permissions is one of the few places powershell sucks. For example… I’m setting up a home lab… and I presently don’t have a domain set up… I needed to get an iso image to my rack server … and ultimately had to enter-PSSession and then utilize net share Images=C:\Images /GRANT:Everyone`,FULL note the ` as a requirement to scrape the quotes that powershell passes along. Also… if you already created an item and then shared it out with new-smbshare you will have to create another directory to have net share grant the full permissions. SO convoluted, or maybe its just me?
How to install this bloody module?
I unzipped the file. Extracted it to the right folder; unblocked all files but still can’t import this module.
@Aj
A little late, but it can help others too…
The module is now available in the PowerShell Gallery
Thanks, you save my life, more effective of get-acl
great work!
Is it possible to use Get-NTFSAccess and filter it based on the Applies To column? I have a need to get the permissions from one folder and apply them to another but only if they were not configure for ThisFolderOnly. Thank you for any assistance.
@Paul,
You get the ThisFolderOnly value in a calculated property named “Applies To”.
It is computed on the flight, and the values are a combination of the PropagationFlags and the InheritanceFlags.
The complete combination list is here:
https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms229747(v=vs.100)
As you can notice, ThisFolderOnly matches to InheritanceFlags set to None and PropagationFlags set to None.
Now here is how you list permissions that don’t apply to this folder only:
Get-NTFSAccess c:\MyFolder | Where-Object -FilterScript {-not($PSItem.InheritanceFlags -eq 'None' -and $PSItem.PropagationFlags -eq 'None')}Thank you very much. That was the piece I was missing. I really appreciate your assistance.
Hi all, I'm new with powershell and NTFSSecurity, but I wonder if there's an opportunity to export NTFSSecurity values in a .csv or .txt file.
…..|Out-GridView -Title….. is great, but is this the only chance? Anything I try, fails.
Thank you so much in advance.
BR
Marco
@Marco
Probably this is what you are looking for:
The "Inherited from" field is blank in your example because "IsInherited" is False. Not because of a bug.
I can get ADD-NTFSAccess to work fine when I run it one-off in powershell like this.
$sam = “first.last”
Add-NTFSAccess -Path “\\FileServer\Home_Folders\$sam” -Account “domain\$sam” -AccessRights Modify
$sam is, of course the sAMAccountName of the user, “domain” is the NETBIOS domain name. FileServer is the host name of the file server where the home folders are created.
However, when I call it from within my user provisioniong script I get the following error (sometimes consistently, sometimes sporadically).
Add-NTFSAccess : Cannot bind parameter ‘Account’. Cannot convert value “domain\username” to type “Security2.IdentityReference2”. Error: “Some or all identity references could not be translated.”
Does anybody have any suggestions?
Is there any easy way to add a progress bar? add-ntfsaccess works great, but I’m adding a permission to millions of files (I’d like to see the progress) 🙂