How to Use PowerShell to Manage Folder Permissions
Table of Contents
- Exploring NTFS file and folder permissions
- Retrieving access permissions on a file and folder using Get-Acl
- Modifying files and folder permissions with Get-Acl and Set-Acl
- Copying permissions to a new object with Get-Acl and Set-Acl
- Removing file or folder permissions with Get-Acl and Set-Acl
- Modifying inheritance and ownership with Get-Acl and Set-Acl
- Listing file and folder permissions
- Adding file and folder permissions
- Removing file and folder permissions
- Modify file and folder ownership
- Enable or disable folder inheritance
Exploring NTFS file and folder permissionsNTFS has a large number of permissions that are available to be set in various combinations on files and folders. To easily view all of the available permissions, you can output the
- Full Control: Users can modify, add, move and delete files and directories, as well as their associated properties. In addition, users can change permissions settings for all files and subdirectories.
- Modify: Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file.
- Read & Execute: Users can run executable files, including script
- Read: Users can view files, file properties and directories.
- Write: Users can write to a file and add files to directories.
- Traverse Folder/Execute File: Allow navigation through folders, even if the user has no explicit permissions to those files or folders. Additionally, users can run executable files.
- List Folder/Read Data: The ability to view a list of files and subfolders within a folder as well as viewing the content of the files contained within.
- Read Attributes: View the attributes of a file or folder.
- Write Attributes: Change the attributes of a file or folder.
- Read Extended Attributes: View the extended attributes of a file or folder.
- Write Extended Attributes: Change the extended attributes of a file or folder.
- Create Files/Write Data: Allow creation of files within a folder, whereas write data allows changes to files within the folder.
- Create Folders/Append Data: Create folders within an existing folder and allow adding data to a file, but not change, delete, or overwrite existing data within a file.
- Delete: Ability to delete a file or folder.
- Read Permissions: Users can read the permissions of a file or folder.
- Change Permissions: Users can change the permissions of a file or folder.
- Take Ownership: Users can take ownership of a file or folder.
- Synchronize: Use a file or folder for synchronization. This enables a thread to wait until the object is in the signaled state.
Retrieving access permissions on a file and folder using Get-AclNow that we know what the permissions are, we can look at a given folder and see what the assigned permissions are. Using the
Get-ACLcmdlet we can easily retrieve the access rules on an object.
Get-ACL -Path "Folder1"
accessproperty more to see what permissions are set on this folder.
(Get-ACL -Path "Folder1").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
(Get-ACL -Path "Test1.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
Modifying files and folder permissions with Get-Acl and Set-AclHow do we go about updating file and folder permissions then? What if we wanted grant a new user read access to file? To do this in PowerShell it’s easiest to follow this four step process.
- Retrieve the existing ACL rules
- Craft a new
- Add the new ACL rule on the existing permission set
- Apply the new ACL to the existing file or folder using
Set-ACLTo craft the rule itself, we need to create the
FileSystemAccessRulewhich has a constructor like so: Identity String, FileSystemRights, AccessControlType.
$ACL = Get-ACL -Path "Test1.txt" $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("TestUser1","Read","Allow") $ACL.SetAccessRule($AccessRule) $ACL | Set-Acl -Path "Test1.txt" (Get-ACL -Path "Test1.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
FileSystemAccessRuleobject are straightforward.
Copying permissions to a new object with Get-Acl and Set-AclSince we have set
TestUser1to have Read access to our file, what if we wanted to copy that same permission set to another file? Since we have already done the hard work of adding the new access rule, we can use the PowerShell pipeline ability to transfer the permissions from one object to another.
Get-ACL -Path "Test1.txt" | Set-ACL -Path "Test2.txt" (Get-ACL -Path "Test2.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
Removing file or folder permissions with Get-Acl and Set-AclAfter adding these permissions, we have decided that
TestUser1shouldn’t have permission to the
Test1.txtfile. The difference in removing the rule is that we need to recreate the exact
FileSystemAccessRulethat we want to remove. This is an explicit means of removing permissions that removes ambiguity about what permission to remove. We will approach this very similar to how we added a permission.
$ACL = Get-ACL -Path "Test1.txt" $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("TestUser1","Read","Allow") $ACL.RemoveAccessRule($AccessRule) $ACL | Set-Acl -Path "Test1.txt" (Get-ACL -Path "Test1.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
readpermission from this object. The
synchronizepermission is a special permission that the operating system uses to maintain proper control over the file and folder permissions.
Modifying inheritance and ownership with Get-Acl and Set-AclFinally, two additional file system tasks that are very useful to know are enabling and disabling inheritance on a folder and the changing of a files owner.
Disable/enable permissions inheritanceTo modify the inheritance properties of an object, we have to use the
SetAccessRuleProtectionmethod with the constructor: isProtected, preserveInheritance. The first
isProtectedproperty defines whether or not the folder inherits its access permissions or not. Setting this value to
$truewill disable inheritance as seen in the example below. The secondary property,
preserveInheritanceallows us to copy the existing inherited permissions onto the object if we are removing inheritance. This can be very important so that we do not lose our access to an object but may not be desired.
$ACL = Get-Acl -Path "Folder1" $ACL.SetAccessRuleProtection($true,$false) $ACL | Set-Acl -Path "Folder1"
You may get an error of,Note how the permissions are no longer true under
Set-Acl: The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.which means that you should run this process under an Administrator account.
IsInherited. This means that we have copied over the permissions successfully and broken inheritance on this folder.
Change ownership with Get-Acl and Set-AclFinally, if you want to change the owner of a file, you can do this simply by using the
SetOwnermethod. After running a
Get-ACLcommand, we can see that the owner has changed to our new user.
$ACL = Get-Acl -Path "Folder1" $User = New-Object System.Security.Principal.Ntaccount("TestUser1") $ACL.SetOwner($User) $ACL | Set-Acl -Path "Folder1" Get-ACL -Path "Folder1"
ConclusionPowerShell is able to quickly create, modify, and delete file and folder permissions within the Windows NTFS file system. Many system administrators rely on scripts to modify permissions over a large number of files and PowerShell makes this process quick and easy, easily saving hundreds of hours of GUI operations! Related articles:
More in PowerShell
What is PowerShell and How to Get Started With It?
Sep 7, 2022 | Mike Kanakos
Use a PowerShell Substring to Search Inside a String
Aug 11, 2022 | Jeff Hicks
Test Network Connectivity with PowerShell Test-Connection
Aug 9, 2022 | Jeff Hicks
How to Use the PowerShell Exit Keyword to Terminate Scripts
Aug 8, 2022 | Ivan Mirchev
Error Handling With PowerShell Try Catch Blocks
Aug 5, 2022 | Adam Bertram
How to Use PowerShell Grep: Select-String and RegEx Real World Examples
Aug 2, 2022 | Jeff Hicks
Most popular on petri