Windows Server

How To Get NTFS File Permissions Using PowerShell

iCacls is a built-in command line tool for reporting NTFS access permissions in Windows. And while it is a comprehensive tool with lots of options, PowerShell provides more flexibility on how results are formatted. Like all PowerShell cmdlets, objects generated by Get-Acl can be easily processed by other PowerShell cmdlets, or the output can be formatted so that it can be passed to other applications. In this article, I will look at using Get-Acl with files and folders, but it can also be used with registry keys and other objects.

Running Get-Acl without any parameters will return the NTFS permissions set on the current working directory. Or you can provide Get-Acl with a path instead.

Get-Acl -Path C:\temp

-Path is a positional parameter, so if it appears in the first position, you can omit -Path. But I will include it in the examples here for completeness.
Get-Acl C:\temp

If the output is truncated, pipe the output to the Format-Table cmdlet as shown below:
Get-Acl -Path C:\temp | Format-Table -Wrap

To get more information, you’ll need to use Format-List instead:
Get-Acl -Path C:\temp | Format-List

You can also return more specific information like this:
(Get-Acl -Path C:\temp).Access

Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)
Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)

And again, you can narrow the output down further. Access.IdentityReference shows the users or groups listed in the ACL.

(Get-Acl -Path C:\temp).Access.IdentityReference

To discover what parameters can be used, press TAB in the PowerShell window after typing the period. For example, typing (Get-Acl C:\temp). and then pressing the TAB key will add Access to the command. Pressing TAB repeatedly will scroll through all the options.
(Get-Acl -Path C:\temp).[TAB]

When used on its own, Get-Acl can only report on one file or directory at a time. If you want to generate a report on a folder hierarchy, you’ll need to pass each folder to Get-Acl using a ForEach loop. First, I use the Get-ChildItem cmdlet to create an object that stores the folder hierarchy that I want to pass to Get-Acl.
$FolderPath = Get-ChildItem -Directory -Path "C:\temp" -Recurse -Force

The first loop cycles through each folder in the hierarchy. For each folder I run another ForEach loop that lists the entries (ACEs) in its ACL by creating a variable ($Properties) that formats the output to list the folder name, the group or user in the ACE, the permission(s) granted, and whether they are inherited. Finally, I create a new object using the $Properties variable, which is what is displayed in the output in the PowerShell window.
ForEach ($Folder in $FolderPath) {
   $Acl = Get-Acl -Path $Folder.FullName
   ForEach ($Access in $Acl.Access) {
$Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
New-Object -TypeName PSObject -Property $Properties

You can see the output only lists folders. There are no files in the results. You could also create an array ($Output) and pipe the results to Out-GridView or a .csv file.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)
Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)

$FolderPath = Get-ChildItem -Directory -Path "C:\temp" -Recurse -Force
$Output = @()
ForEach ($Folder in $FolderPath) {
    $Acl = Get-Acl -Path $Folder.FullName
    ForEach ($Access in $Acl.Access) {
$Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Output += New-Object -TypeName PSObject -Property $Properties            
$Output | Out-GridView

The script and commands that I’ve shown you in this article should help you to get started with using PowerShell to report on NTFS permissions.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (2)

2 responses to “How To Get NTFS File Permissions Using PowerShell”

  1. <p>This is exactly what I needed, thank you!</p><p>Since I am using this for a massive server, i only need to see the information for the first two layers in Z: and since I am new to scripting, I don't really know how I can do that.</p><p>Also, I need to export all the information to a csv Excel sheet.</p><p><br></p><p>If anyone can help i would really appreciate it!</p>

  2. <p>Hi @mwino, maybe this will help. Have added the ability to return the folder you pass to the script and output as a CSV, with the name of the root folder appended.</p><p><br></p><p>$BaseFolder = "C:NTFS-Root"</p><p>$FolderPath = Get-ChildItem -Directory -Path $BaseFolder -Recurse -Force</p><p>$Output = @()</p><p>$Acl = Get-Acl -Path $BaseFolder</p><p>&nbsp;&nbsp;ForEach ($Access in $Acl.Access) {</p><p>$Properties = [ordered]@{'Folder Name'=$BaseFolder;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}</p><p>$Output += New-Object -TypeName PSObject -Property $Properties</p><p>}</p><p>ForEach ($Folder in $FolderPath) {</p><p>&nbsp;&nbsp;$Acl = Get-Acl -Path $Folder.FullName</p><p>&nbsp;&nbsp;ForEach ($Access in $Acl.Access) {</p><p>$Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}</p><p>$Output += New-Object -TypeName PSObject -Property $Properties&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</p><p>}</p><p>}</p><p>$DirName = $BaseFolder -creplace '(?s)^.*\', ''</p><p>$Output | Export-Csv "Folder-Permissions-$DirName.csv"</p>

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: