The NTFS permissions system is a security feature in Windows that helps protect files from unauthorized access. However, due to the nature of how it works and lacking user-friendly GUI tools, maintaining those permissions can be difficult. PowerShell provides an easy way to manage these permissions efficiently without any additional software required.
“powershell set permissions on folder and subfolders and files” is a PowerShell command that allows users to manage NTFS permissions with the “Set-Acl cmdlet. The Set-Acl cmdlet can be used to modify the access control list of a file or folder.
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code below searches for objects that do not inherit NTFS permissions. This is accomplished by using Where-Object with the -Not operand to examine the current object in the pipeline
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code example below filters for objects not inheriting NTFS permissions. This is done by using Where-Object with the -Not operand looking at the current object in the pipeline $_. member object property of IsInherited , which denotes if the ACE is the result of inheritance and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
Where-Object (
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code below searches for objects that do not inherit NTFS permissions. This is accomplished by using Where-Object with the -Not operand to examine the current object in the pipeline
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code example below filters for objects not inheriting NTFS permissions. This is done by using Where-Object with the -Not operand looking at the current object in the pipeline $_. member object property of IsInherited , which denotes if the ACE is the result of inheritance and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
$Ace = $Acl.Access | Where-Object {($_.IdentityReference -eq ‘domainuser’) -and -not ($_.IsInherited)}
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
. member object attribute of IsInherited, which indicates if the ACE is inherited and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
$Ace = $Acl.Access | Where-Object {($_.IdentityReference -eq ‘domainuser’) -and -not ($_.IsInherited)}
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
.IdentityReference -eq ‘domainuser’) -and -not (
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code below searches for objects that do not inherit NTFS permissions. This is accomplished by using Where-Object with the -Not operand to examine the current object in the pipeline
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code example below filters for objects not inheriting NTFS permissions. This is done by using Where-Object with the -Not operand looking at the current object in the pipeline $_. member object property of IsInherited , which denotes if the ACE is the result of inheritance and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
$Ace = $Acl.Access | Where-Object {($_.IdentityReference -eq ‘domainuser’) -and -not ($_.IsInherited)}
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
. member object attribute of IsInherited, which indicates if the ACE is inherited and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
$Ace = $Acl.Access | Where-Object {($_.IdentityReference -eq ‘domainuser’) -and -not ($_.IsInherited)}
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
.IsInherited) $Ace = $Acl.Access
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
. member object attribute of IsInherited, which indicates if the ACE is inherited and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
Where-Object (
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code below searches for objects that do not inherit NTFS permissions. This is accomplished by using Where-Object with the -Not operand to examine the current object in the pipeline
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code example below filters for objects not inheriting NTFS permissions. This is done by using Where-Object with the -Not operand looking at the current object in the pipeline $_. member object property of IsInherited , which denotes if the ACE is the result of inheritance and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
$Ace = $Acl.Access | Where-Object {($_.IdentityReference -eq ‘domainuser’) -and -not ($_.IsInherited)}
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
. member object attribute of IsInherited, which indicates if the ACE is inherited and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
$Ace = $Acl.Access | Where-Object {($_.IdentityReference -eq ‘domainuser’) -and -not ($_.IsInherited)}
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
.IdentityReference -eq ‘domainuser’) -and -not (
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code below searches for objects that do not inherit NTFS permissions. This is accomplished by using Where-Object with the -Not operand to examine the current object in the pipeline
You’re in luck if you’re an IT expert who’s having trouble defining file system permissions for your company. Using a GUI to manage NTFS permissions takes time, particularly when dealing with a large number of users or groups. Fortunately, we have PowerShell to help us out. How? The Microsoft.PowerShell.Security module is a security module for PowerShell.
Get-ACL and Set-ACL are two PowerShell cmdlets dedicated to dealing with ACLs. These two cmdlets can get and assign an unlimited amount of NTFS permissions, as you’ll see in this lesson. Continue reading if you want to become more effective and helpful in handling NTFS permissions right now.
You don’t have time to read? That’s not an issue! Watch Anthony Howell of TechSnips.io’s companion video below:
Prerequisites
You’ll need the following items to follow along with the examples in this tutorial:
Creating a Test Set of Files/Folders
This course will be based on a single folder or a tiny “lab.” You’ll learn how to use NTFS permissions in PowerShell from the bottom up, with no additional effort on your behalf.
- Open a PowerShell session as Administrator to begin.
- On your filesystem, create an empty folder named Share. Assume that the folder is placed at C:Share in the following instances. The examples will be shorter and simpler to understand as a result. You may create this directory by copying and pasting the following code:
‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item -ItemType Directory -Path C:Share’ ‘New-Item
3. Make a folder named C:ShareAssets on your hard drive.
‘C:ShareAssets’ -ItemType Directory -Path ‘New-Item’
4. In the C:Share folder, create a file named client list.txt.
‘C:ShareClient list.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient list.txt’
5. In the C:Share folder, create a file named client projects.txt.
‘C:ShareClient projects.txt’ -ItemType File -Path ‘New-Item -ItemType File -Path ‘C:ShareClient projects.txt’
6. Next, create a variable for the path to the Share folder. Creating variables reduces typing time and makes the route more reusable. Copy the following code sample into your PowerShell session, assuming you’re using C:Share:
7. Hit the Enter key. You now have an empty directory and a variable for that location.
Using Get-Acl to View NTFS Permissions
Using the Get-Acl cmdlet in PowerShell, you may easily inspect NTFS permissions. The cmdlet will be used to inspect NTFS permissions for a file or folder in the sections that follow.
A set of access control entries is known as an List of Access Controls (ACL) (ACE). Each ACE in an ACL identifies a trustee and describes the access permissions that may be granted, refused, or audited for that trustee. A DACL and a SACL are the two sorts of ACLs that may be found in a securable object’s security descriptor.
Permissions on the NTFS File System
Traditionally, an ACL could be seen by right-clicking on the C:Share folder, choosing Properties, selecting the Security tab, and selecting the Advanced option. Below is an example of how the GUI shows permissions.
Advanced Security Settings for Shared List of Access Controls
Some permission items and attributes are numbered in the sample above. Examine them attentively since a comparison will be made later in this section.
Get-Acl may be used to show the current NTFS permissions for the directory that you established previously.
In the following snapshot, you should see the path, owner, and access level data.
List of Access Controls
The Access property in the picture above has further information about the ACL, but it scrolls off the screen, as shown by the triple dots at the end of FullControl. Enclosing the preceding command in round brackets or parentheses to examine Access object properties is a better approach to access this property. By executing the code below, you’ll only be looking for the Access attribute on this object.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access
The Access object and the -ExpandProperties argument may also be used to specify the above command: Select-Object -ExpandProperty Access | Get-Acl -Path $dir
The output is wrapped, as demonstrated in the following picture, to make it simpler to examine particular Access properties:
Entities in Charge of Access Control
Viewing access properties in the above manner can make the terminal output scroll down the screen fast if you have many Entities in Charge of Access Control (ACE). Each entity contains FileSystemRights, AccessControlType, IdentityReference, IsInherited, InheritenceFlags, and PropagationFlags properties. To make this all a bit more readable, pipe the objects to Format-Table -AutoSize. Run the following command.
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Format-Table -AutoSize
When you use Format-Table -AutoSize:, the access properties are clearer and more structured, as you can see in the image below.
When piping to Format-Table, the output is cleaner.
Examine the attributes and the number of columns. These are the same properties that you saw at the start of the lesson in the GUI.
Advanced Security Settings for Shared List of Access Controls
Access Objects Filtering
When looking for NTFS permissions, you may need to be more exact at times. You may use PowerShell to filter for a certain ACE or locate specific results that have inherited or explicit NTFS rights inside an ACL. Instead of scrolling the terminal window line by line with your eyes, you may use the Where-Object cmdlet to filter the results.
The code example below filters for objects not inheriting NTFS permissions. This is done by using Where-Object with the -Not operand looking at the current object in the pipeline $_. member object property of IsInherited , which denotes if the ACE is the result of inheritance and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
$Ace = $Acl.Access | Where-Object {($_.IdentityReference -eq ‘domainuser’) -and -not ($_.IsInherited)}
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
. member object attribute of IsInherited, which indicates if the ACE is inherited and is not explicitly set:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IsInherited -eq $true} | Format-Table -AutoSize
Otherwise, the result will scroll down the screen if you don’t feed objects to Format-Table -AutoSize. You’ll thank me later if you make this a new habit.
Replace ‘USERNAME’ with another username in the code below to get particular results:
(Get-Acl -Path $dir -Path $dir -Path $dir -Path $dir Access | Where-Object {$_.IdentityReference -like ‘USERNAME’} | Format-Table -AutoSize
Here’s an illustration of what the outcomes may look like:
a sample of the filtering output
All ACEs with the IdentityReference attribute set to the user or security group given rights are shown in the preceding example.
Go ahead and put everything you’ve learned about Get-Acl into practice. Examine your system’s various files and directories. This will allow you to view a variety of security descriptors for various circumstances. This will also aid in the development of muscle memory.
Let’s take it a step further and apply NTFS permissions.
Using Set-Acl to Change NTFS Permissions
Now that you know how to see NTFS rights, you can use PowerShell to assign and alter NTFS permissions. This is made feasible through the Set-Acl cmdlet. The sections below show how to duplicate, change inheritance, and delete NTFS rights from a file or folder using this cmdlet in combination with Get-Acl.
NTFS Permissions Copying
You may have a file or folder with the necessary NTFS permissions that you can use to create a new ACL. Copying permissions from one file or folder to another might save you time.
If the security descriptor you’re transferring from is accurate and acceptable for the destination, duplicating existing ACLs/ACEs may help eliminate human mistake while setting up NTFS permissions. “With great power comes tremendous responsibility,” as the adage goes. Please keep this in mind.
Consider the screenshot below. You’re looking at the ACL for a file named Client List.txt in C:Share. The ACL has the appropriate degree of NTFS permissions:
Bill, the new employee, has a client list with the required NTFS rights.
Take a look at the following image. You’re looking at the ACL for another file in C:Share named Client Projects.txt this time. This file does not have the appropriate NTFS permissions:
Bill has no access to client projects.
The NTFS permissions from Client List.txt must be copied to Client Projects.txt. How are you going to do it? Get the ACL from Client List.txt and then use the Set-Acl cmdlet with the -AclObject argument to change permissions. The whole ACL from Client List.txt is transferred to Client Projects.txt when you execute the code below:
$Acl = Get-Acl -Path ‘C:ShareClient list.txt’ Set-Acl -AclObject $Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Path ‘C:ShareClient Projects.txt’ $Acl = Get-Acl -Pa
The Client Projects.txt file now contains the same security descriptors as Client list.txt, as seen in the numbered picture below.
- Extract an existing ACL from a file.
- Copy the ACL object to a new file or folder.
- Verify that the ACL was appropriately copied to the file or folder.
NTFS Permissions Have Been Copied
The ACL for the file Client Projects.txt is similar to the ACL for the file Client List.txt in the IdentityReference column, with AccessControlType set to Allow. When it comes to providing NTFS rights to folders, you utilize the same method.
Permissions for NTFS
You replicated existing NTFS permissions from one file object to another in the previous section. This time, you’ll start from scratch using NTFS permissions. This will provide you the ability to set NTFS rights to a file or folder.
Begin by assigning certain variables to be utilized in the creation of a new object for Set-Acl to use. When it’s time to execute the command, doing it this manner makes it a bit simpler. The following code creates the properties of an ACE that will be used to create NTFS rights for a file or folder:
$inheritance = ‘ContainerInherit, ObjectInherit’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Inheritance’) $propagation = ‘None’ #Other options: [enum]::GetValues(‘System.Security.AccessControl.Propagation’)
After that, provide one more variable to retrieve the initial ACL for the Assets folder. Then, using the AddAccessRule method member type and the $ACE variable, create an access rule:
$Acl = Get-Acl -Path “$dirAssets” $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl.AddAccessRule($ACE) $Acl
You may now add the newly created ACE to the C:ShareAssets ACL. To apply this new ACE to the correct directory, use Set-Acl:
Set-Acl -Path “$dirAssets” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $Acl
Next, use the code below to ensure that the user you selected has the necessary rights to see the directory:
(Get-Acl -Path “$dirAssets”; Get-Acl -Path “$dirAssets”; Get-Acl -P Format-Table -Autosize | Access
NTFS Permissions Removed
You’ll need to remove NTFS rights from a resource at some point.
To remove NTFS rights, first get the file or folder’s existing ACL. Client Projects.txt is the file in this example:
Get-Acl -Path “$dirClient Projects.txt” $Acl = Get-Acl -Path “$dirClient Projects.txt”
Now search for the ACE you wish to get rid of. This is accomplished by using the $Acl member objects and sending the results to Where-Object with a few operands:
$Ace = $Acl.Access | Where-Object {($_.IdentityReference -eq ‘domainuser’) -and -not ($_.IsInherited)}
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
.IsInherited) $Ace = $Acl.Access
Then, using the $Acl variable, which has the current ACL security descriptors, execute the RemoveAccessRule() function and provide the ACE object produced earlier using the New-Object cmdlet. This will delete the following entry:
$Acl.RemoveAccessRule($Ace)
It’s vital to remember that you’ve made modifications to an existing ACL but haven’t yet committed them.
Run the Set-Acl cmdlet with the -Path and -AclObject options set to “$dirClient Projects.txt” and $Acl, respectively, to make the changes stick. Enter the following command when you’ve finished typing it:
Set-Acl -Path “$dirClient Projects.txt” -AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $AclObject $
Summary
You learnt how to use PowerShell to manage NTFS permissions in this post. You’ve learned how to use the Get-Acl and Set-Acl cmdlets to manage NTFS permissions.
You’ve also learned how to utilize filters in an ACL to target a certain ACE for usage in the cmdlets above. You’ll be able to handle more NTFS permission requests than ever before with a little practice.
Additional Reading
The “set-acl” is a PowerShell command that allows you to manage NTFS permissions. The command is used to grant or revoke permissions on files and folders.
Frequently Asked Questions
Related Tags
- powershell set-acl examples
- remove ntfs permissions powershell
- powershell set-acl everyone full control
- powershell remove everyone permissions from folder
- set-acl this folder subfolders and files
