Setting NTFS security permissions from Windows File Explorer is fine when you’re dealing with a single server. It’s another situation entirely, however, when you need to modify NTFS security on 100 folders spread across 20 servers. For these administrative tasks, we rely on Windows PowerShell to get the job done quickly, accurately, and easily.

Unfortunately, even the Windows PowerShell v5 April 2015 preview contains only two cmdlets related to access control lists (ACLs), and they are pretty weak:

In today’s exercise, we’ll use Raimund Andrée’s File System Security PowerShell module to simplify NTFS permissions management. By using Windows PowerShell remoting and Raimund’s module, you can automate what is otherwise tedious, time-consuming manual work.

Begin by downloading Raimund’s module from the TechNet Script Center and unpacking the ZIP file to a folder named NTFSSecurity in your env:$PSModulePath location. By default, your PowerShell module path is:

C:\ProgrHam Files\WindowsPowerShell\Modules

Here’s a picture from my Windows 8.1 administrative workstation:

Make sure to store PowerShell modules in the proper location

Make sure your PowerShell modules are stored in the proper location.

You’ll note that Raimund’s NTFSSecurity project is quite a bit more complex than other custom modules you might have seen, including several dynamic link libraries (DLLs) and such. More to the point, Raimund leverages the AlphaFS library to give him easier access to the .NET Framework’s NTFS access features.

The final preliminary ingredient we need here is a folder and some files to play with. I created a folder named dox in the root of drive C: and populated the folder with a subfolder and a bunch of dummy files. Look here:

We need some files to play with

We need some files to play with.

Okay—no more File Explorer. From now on, everything we do will be from an elevated Windows PowerShell console session, with a bit of Out-GridView thrown in for good measure. Let’s begin!

Viewing NTFS permissions ^

First, let’s verify that PowerShell module auto-loading properly recognizes our new NTFSSecurity module. Use Get-Command to auto-import the NTFSSecurity module and enumerate its commands:

Get-Command –Module NTFSSecurity

On an NTFS volume, folders and files each contain a discretionary access control list (DACL) that, in turn, consists of one or more access control entries (ACEs). These ACEs define the group, user, and computer accounts that are explicitly granted or denied access to those files and folders.

Let’s start by enumerating the NTFS ACEs for C:\dox and output the results in a grid view:

Get-NTFSAccess –Path 'C:\Dox' | Out-GridView –Title 'C:\Dox Permissions'

This is a view of the ACEs of a directory

This is a view of the ACEs of a directory.

We can do the same thing for individual files:

 

Get-NTFSAccess -Path 'C:\dox\cbt.png' | Select-Object –Property Account, AccessRights
Account                                            AccessRights
-------                                            ------------
BUILTIN\Administrators                              FullControl
NT AUTHORITY\SYSTEM                                 FullControl
BUILTIN\Users                       ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users            Modify, Synchronize

To list permissions for all folder contents recursively, we can combine Get-ChildItem, Get-NTFSAccess, and the PowerShell pipeline:

 

Get-ChildItem –Path 'C:\dox' –Recurse | Get-NTFSAccess

Modifying NTFS permissions ^

Let’s say that we need to grant members of the Marketing group and a user named jrose read-only permissions to all contents of the dox folder. Notice that the Add-NTFSAccess cmdlet accepts a comma-separated list of security IDs (SIDs) or account names:

Add-NTFSAccess –Path 'C:\dox' –Account 'win81box\Marketing', 'win81box\jrose' –AccessRights Read

We can add the –AppliesTo ThisFolderOnly parameter and value set if we need to block NTFS permissions inheritance on the folder contents. In fact, take a look at the following Windows PowerShell ISE screenshot; I want to show you the enumeration contents for both –AccessRights and –AppliesTo:

The PowerShell ISE makes it easier to visualize enumerations

The PowerShell ISE makes it easier to visualize enumerations.

Now we’ll verify that the C:\dox ACL took our update:

Get-NTFSAccess -Path 'C:\dox' | Where-Object -FilterScript { $_.AccessRights -eq 'Read' } | Format-Table -AutoSize      Path: C:\dox (Inheritance enabled)
Account            Access Rights Applies to                   Type  IsInherited
-------            ------------- ----------                   ----  -----------
WIN81BOX\Marketing Read          ThisFolderSubfoldersAndFiles Allow False
WIN81BOX\jrose     Read          ThisFolderSubfoldersAndFiles Allow False

Determining effective permissions ^

Were you as happy as I was when the Microsoft Windows Server product team gave us effective permissions in Windows Server 2008 R2? What’s even better is that we can use Raimund’s NTFSSecurity module to tap into that time-saving functionality.

As an example, imagine that we need to see jrose’s effective permissions on the file c:\dox\HTML\about.html. Let’s use Get-EffectiveAccess to get ’er done!

 

Get-Item -Path 'C:\dox\HTML\about.html' | Get-EffectiveAccess -Account 'win81box\jrose' | Format-List
Name               : about.html
FullName           : C:\dox\HTML\about.html
InheritanceEnabled : False
InheritedFrom      :
AccessControlType  : Allow
AccessRights       : Modify, Synchronize
Account            : WIN81BOX\jrose
InheritanceFlags   : None
IsInherited        : False
PropagationFlags   : None

Now don’t freak out. You probably wonder, “Why does jrose have Modify permission when we set Read at the parent folder level?” Remember that the original ACL contained a Modify permissions entry for Authenticated Users; NTFS permissions are cumulative. Thus, to resolve this issue, we’ll need to either modify or remove Authenticated Users or add Deny permissions to jrose (that’s not considered best practice because it can produce troubleshooting problems farther down the road).

Also, the Format-List output I gave you introduces other questions, such as “Why is the Inherited From property blank?” The answer to this question is that the NTFSSecurity module is an open-source community project. As such, you’re bound to find some bugs and other inconsistent behavior. The good news is that you are free to fork the project and make these adjustments yourself!

Removing NTFS permissions ^

To finish up, let’s remove those two new entries from our c:\dox ACL:

Remove-NTFSAccess -Path 'C:\dox' -Account win81box\marketing, win81box\jrose -AccessRights Read -PassThru

The –PassThru switch parameter is useful when you want to see the results of your pipeline when such output is normally suppressed.

avatar
17 Comments
  1. Greg 6 years ago

    I can't get the module to work: This runs successfully : Get-Command –Module NTFSSecurity

    But this doesn't: Get-NTFSAccess -Path $Fdrs | Out-GridView –Title 'C:\Dox Permissions' ---My $Fdrs object points to my targeted folder.
    The error is: "Get-NTFSAccess : The term 'Get-NTFSAccess' is not recognized as the name of a cmdlet,...etc."
    I unzipped the module files to C:\Program Files\WindowsPowerShell\Modules\NTFSSecurities and my $Env:PSModulePath points to the same folder, also as evidenced by the successful running of the first command, (Get-Command...). Any suggestions to make it work?

    Thanks.

  2. Raj Shrestha 6 years ago

    Hi
    These command are super awesome. It is exactly what I have been looking for but the issue is I am not allowed to import module on the server. is there any way I can run it remotely??

    Thanks,
    Raj

  3. RaveWolf (Rank: )
    6 years ago

    Thank you so much for this.

    I have been hunting for a decent and logical way to grant Access.

    I do have one question... How do I grant Permissions to "HomeGroup"?

    • Author

      Hi RaveWolf. HomeGroup is a way to share resources in a non-business (home) environment. In this article I focused on resource sharing in the enterprise. See this Microsoft Help article for guidance on setting up HomeGroup sharing: http://windows.microsoft.com/en-us/windows/homegroup-help#homegroup-start-to-finish=windows-81&v1h=win81tab1&v2h=win7tab1 Hope this helps, Tim

  4. RaveWolf (Rank: )
    6 years ago

    Thanks Tim,

    I already have a HomeGroup that is working fine...

    I have some files that get put into a specific folder via a script. The problem that I'm having is that every time the Folder or Files get added to this folder, they're Automatically Locked and the HomeGroup cannot see them. I need A script that can give HomeGroup permissions to these SubFolders as they're not inheriting permissions from this Folder..

    Thanks for the Prompt response.

  5. DrewAdmin 5 years ago

    Very helpful, thank you!

    I too need a command to check the subfolders under the root. With the "Get-NTFSAccess -path" command I can only seem to audit a single folder at a time.

    • Joshua Hanley 5 years ago

      @DrewAdmin You can pipe the results from a Get-ChildItem (or NTFSSecurity module's Get-ChildItem2) to Get-NTFSAccess. For example:

      Get-ChildItem2 "C:\Whatever\Folder" -Attributes Directory -Recurse | Get-NTFSAccess

      to Get-NTFSAccess for all folders in C:\Whatever\Folder.

  6. John 4 years ago

    Man... I've got to be honest... permissions is one of the few places powershell sucks. For example... I'm setting up a home lab... and I presently don't have a domain set up... I needed to get an iso image to my rack server ... and ultimately had to enter-PSSession and then utilize net share Images=C:\Images /GRANT:Everyone`,FULL note the ` as a requirement to scrape the quotes that powershell passes along. Also... if you already created an item and then shared it out with new-smbshare you will have to create another directory to have net share grant the full permissions. SO convoluted, or maybe its just me?

  7. AJ 4 years ago

    How to install this bloody module?

    I unzipped the file. Extracted it to the right folder; unblocked all files but still can't import this module.

    • @Aj

      A little late, but it can help others too...

      The module is now available in the PowerShell Gallery

      Install-Module -Name NTFSSecurity -Repository PSGallery

  8. Alex P. 4 years ago

    Thanks, you save my life, more effective of get-acl
    great work!

  9. Paul W. 3 years ago

    Is it possible to use Get-NTFSAccess and filter it based on the Applies To column?  I have a need to get the permissions from one folder and apply them to another but only if they were not configure for ThisFolderOnly.  Thank you for any assistance.

    • @Paul,

      You get the ThisFolderOnly value in a calculated property named "Applies To".

      It is computed on the flight, and the values are a combination of the PropagationFlags and the InheritanceFlags.

      The complete combination list is here:

      https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms229747(v=vs.100)

      As you can notice, ThisFolderOnly matches to InheritanceFlags set to None and PropagationFlags set to None.

      Now here is how you list permissions that don't apply to this folder only:

      Get-NTFSAccess c:\MyFolder | Where-Object -FilterScript {-not($PSItem.InheritanceFlags -eq 'None' -and $PSItem.PropagationFlags -eq 'None')}

      • Paul W. 3 years ago

        Thank you very much. That was the piece I was missing. I really appreciate your assistance.

  10. MARCO (Rank: 1)
    3 years ago

    Hi all, I'm new with powershell and NTFSSecurity, but I wonder if there's an opportunity to export NTFSSecurity values in a .csv or .txt file.

    …..|Out-GridView -Title..... is great, but is this the only chance? Anything I try, fails.

    Thank you so much in advance.

    BR

    Marco

    • @Marco

      Probably this is what you are looking for:

      Get-NTFSAccess -Path C:\Temp\ |ConvertTo-Csv -NoTypeInformation|Out-File -FilePath C:\temp\NTFSPermissions.csv
      avatar
  11. Patrick Horne 1 year ago

    The "Inherited from" field is blank in your example because "IsInherited" is False.  Not because of a bug.

Leave a reply to Alex P. Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account