How To Get NTFS File Permissions Using PowerShell

iCacls is a built-in command line tool for reporting NTFS access permissions in Windows. And while it is a comprehensive tool with lots of options, PowerShell provides more flexibility on how results are formatted. Like all PowerShell cmdlets, objects generated by Get-Acl can be easily processed by other PowerShell cmdlets, or the output can be formatted so that it can be passed to other applications. In this article, I will look at using Get-Acl with files and folders, but it can also be used with registry keys and other objects.

Running Get-Acl without any parameters will return the NTFS permissions set on the current working directory. Or you can provide Get-Acl with a path instead.

-Path is a positional parameter, so if it appears in the first position, you can omit -Path. But I will include it in the examples here for completeness.

If the output is truncated, pipe the output to the Format-Table cmdlet as shown below:

To get more information, you’ll need to use Format-List instead:

You can also return more specific information like this:

Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)
Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)

And again, you can narrow the output down further. Access.IdentityReference shows the users or groups listed in the ACL.

To discover what parameters can be used, press TAB in the PowerShell window after typing the period. For example, typing (Get-Acl C:\temp). and then pressing the TAB key will add Access to the command. Pressing TAB repeatedly will scroll through all the options.

When used on its own, Get-Acl can only report on one file or directory at a time. If you want to generate a report on a folder hierarchy, you’ll need to pass each folder to Get-Acl using a ForEach loop. First, I use the Get-ChildItem cmdlet to create an object that stores the folder hierarchy that I want to pass to Get-Acl.

The first loop cycles through each folder in the hierarchy. For each folder I run another ForEach loop that lists the entries (ACEs) in its ACL by creating a variable ($Properties) that formats the output to list the folder name, the group or user in the ACE, the permission(s) granted, and whether they are inherited. Finally, I create a new object using the $Properties variable, which is what is displayed in the output in the PowerShell window.

You can see the output only lists folders. There are no files in the results. You could also create an array ($Output) and pipe the results to Out-GridView or a .csv file.

Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)
Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)

The script and commands that I’ve shown you in this article should help you to get started with using PowerShell to report on NTFS permissions.

Related Topics:

  • Windows Server

    Don't have a login but want to join the conversation? Sign up for a Petri Account

    IT consultant, contributing editor @PetriFeed , and trainer @Pluralsight . All about Microsoft, Office 365, Azure, and Windows Server.