
close
close
iCacls is a built-in command line tool for reporting NTFS access permissions in Windows. And while it is a comprehensive tool with lots of options, PowerShell provides more flexibility on how results are formatted. Like all PowerShell cmdlets, objects generated by Get-Acl can be easily processed by other PowerShell cmdlets, or the output can be formatted so that it can be passed to other applications. In this article, I will look at using Get-Acl with files and folders, but it can also be used with registry keys and other objects.
advertisment
Running Get-Acl without any parameters will return the NTFS permissions set on the current working directory. Or you can provide Get-Acl with a path instead.
Get-Acl -Path C:\temp
-Path is a positional parameter, so if it appears in the first position, you can omit -Path. But I will include it in the examples here for completeness.
Get-Acl C:\temp
If the output is truncated, pipe the output to the Format-Table cmdlet as shown below:
Get-Acl -Path C:\temp | Format-Table -Wrap
To get more information, you’ll need to use Format-List instead:
advertisment
Get-Acl -Path C:\temp | Format-List
You can also return more specific information like this:
(Get-Acl -Path C:\temp).Access
Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)
And again, you can narrow the output down further. Access.IdentityReference shows the users or groups listed in the ACL.
(Get-Acl -Path C:\temp).Access.IdentityReference
To discover what parameters can be used, press TAB in the PowerShell window after typing the period. For example, typing (Get-Acl C:\temp). and then pressing the TAB key will add Access to the command. Pressing TAB repeatedly will scroll through all the options.
(Get-Acl -Path C:\temp).[TAB]
When used on its own, Get-Acl can only report on one file or directory at a time. If you want to generate a report on a folder hierarchy, you’ll need to pass each folder to Get-Acl using a ForEach loop. First, I use the Get-ChildItem cmdlet to create an object that stores the folder hierarchy that I want to pass to Get-Acl.
advertisment
$FolderPath = Get-ChildItem -Directory -Path "C:\temp" -Recurse -Force
The first loop cycles through each folder in the hierarchy. For each folder I run another ForEach loop that lists the entries (ACEs) in its ACL by creating a variable ($Properties) that formats the output to list the folder name, the group or user in the ACE, the permission(s) granted, and whether they are inherited. Finally, I create a new object using the $Properties variable, which is what is displayed in the output in the PowerShell window.
ForEach ($Folder in $FolderPath) { $Acl = Get-Acl -Path $Folder.FullName ForEach ($Access in $Acl.Access) { $Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited} New-Object -TypeName PSObject -Property $Properties } }
You can see the output only lists folders. There are no files in the results. You could also create an array ($Output) and pipe the results to Out-GridView or a .csv file.
Use PowerShell to get NTFS file permissions (Image Credit: Russell Smith)
$FolderPath = Get-ChildItem -Directory -Path "C:\temp" -Recurse -Force $Output = @() ForEach ($Folder in $FolderPath) { $Acl = Get-Acl -Path $Folder.FullName ForEach ($Access in $Acl.Access) { $Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited} $Output += New-Object -TypeName PSObject -Property $Properties } } $Output | Out-GridView
The script and commands that I’ve shown you in this article should help you to get started with using PowerShell to report on NTFS permissions.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Windows Server
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Microsoft to Disable SMB1 File-Sharing Protocol By Default on Windows 11
Apr 20, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Support for Windows Server 2012 R2 and 2016
Apr 14, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group