Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Windows Server

How To Get NTFS File Permissions Using PowerShell

iCacls is a built-in command line tool for reporting NTFS access permissions in Windows. And while it is a comprehensive tool with lots of options, PowerShell provides more flexibility on how results are formatted. Like all PowerShell cmdlets, objects generated by Get-Acl can be easily processed by other PowerShell cmdlets, or the output can be formatted so that it can be passed to other applications. In this article, I will look at using Get-Acl with files and folders, but it can also be used with registry keys and other objects.

Running Get-Acl without any parameters will return the NTFS permissions set on the current working directory. Or you can provide Get-Acl with a path instead.

Get-Acl -Path C:\temp

-Path is a positional parameter, so if it appears in the first position, you can omit -Path. But I will include it in the examples here for completeness.
Get-Acl C:\temp

If the output is truncated, pipe the output to the Format-Table cmdlet as shown below:
Get-Acl -Path C:\temp | Format-Table -Wrap

To get more information, you’ll need to use Format-List instead:
Get-Acl -Path C:\temp | Format-List

You can also return more specific information like this:
(Get-Acl -Path C:\temp).Access

Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)
Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)

And again, you can narrow the output down further. Access.IdentityReference shows the users or groups listed in the ACL.

(Get-Acl -Path C:\temp).Access.IdentityReference

To discover what parameters can be used, press TAB in the PowerShell window after typing the period. For example, typing (Get-Acl C:\temp). and then pressing the TAB key will add Access to the command. Pressing TAB repeatedly will scroll through all the options.
(Get-Acl -Path C:\temp).[TAB]

When used on its own, Get-Acl can only report on one file or directory at a time. If you want to generate a report on a folder hierarchy, you’ll need to pass each folder to Get-Acl using a ForEach loop. First, I use the Get-ChildItem cmdlet to create an object that stores the folder hierarchy that I want to pass to Get-Acl.
$FolderPath = Get-ChildItem -Directory -Path "C:\temp" -Recurse -Force

The first loop cycles through each folder in the hierarchy. For each folder I run another ForEach loop that lists the entries (ACEs) in its ACL by creating a variable ($Properties) that formats the output to list the folder name, the group or user in the ACE, the permission(s) granted, and whether they are inherited. Finally, I create a new object using the $Properties variable, which is what is displayed in the output in the PowerShell window.
ForEach ($Folder in $FolderPath) {
   $Acl = Get-Acl -Path $Folder.FullName
   ForEach ($Access in $Acl.Access) {
$Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
New-Object -TypeName PSObject -Property $Properties
           }
}

You can see the output only lists folders. There are no files in the results. You could also create an array ($Output) and pipe the results to Out-GridView or a .csv file.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)
Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)

$FolderPath = Get-ChildItem -Directory -Path "C:\temp" -Recurse -Force
$Output = @()
ForEach ($Folder in $FolderPath) {
    $Acl = Get-Acl -Path $Folder.FullName
    ForEach ($Access in $Acl.Access) {
$Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Output += New-Object -TypeName PSObject -Property $Properties            
}
}
$Output | Out-GridView

The script and commands that I’ve shown you in this article should help you to get started with using PowerShell to report on NTFS permissions.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (2)

2 responses to “How To Get NTFS File Permissions Using PowerShell”

  1. <p>This is exactly what I needed, thank you!</p><p>Since I am using this for a massive server, i only need to see the information for the first two layers in Z: and since I am new to scripting, I don't really know how I can do that.</p><p>Also, I need to export all the information to a csv Excel sheet.</p><p><br></p><p>If anyone can help i would really appreciate it!</p>

  2. <p>Hi @mwino, maybe this will help. Have added the ability to return the folder you pass to the script and output as a CSV, with the name of the root folder appended.</p><p><br></p><p>$BaseFolder = "C:NTFS-Root"</p><p>$FolderPath = Get-ChildItem -Directory -Path $BaseFolder -Recurse -Force</p><p>$Output = @()</p><p>$Acl = Get-Acl -Path $BaseFolder</p><p>&nbsp;&nbsp;ForEach ($Access in $Acl.Access) {</p><p>$Properties = [ordered]@{'Folder Name'=$BaseFolder;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}</p><p>$Output += New-Object -TypeName PSObject -Property $Properties</p><p>}</p><p>ForEach ($Folder in $FolderPath) {</p><p>&nbsp;&nbsp;$Acl = Get-Acl -Path $Folder.FullName</p><p>&nbsp;&nbsp;ForEach ($Access in $Acl.Access) {</p><p>$Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}</p><p>$Output += New-Object -TypeName PSObject -Property $Properties&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</p><p>}</p><p>}</p><p>$DirName = $BaseFolder -creplace '(?s)^.*\', ''</p><p>$Output | Export-Csv "Folder-Permissions-$DirName.csv"</p>

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.