How to Manage NTFS Permissions Using PowerShell
-
View NTFS Permissions With
Get-ACL
in PowerShell - Display NTFS Permissions in PowerShell
- Get ACL on Files Recursively in PowerShell
Managing NTFS permissions with a GUI is time-consuming, especially when working with many users or groups. However, specific PowerShell cmdlets can retrieve and assign NTFS permissions.
This article will discuss managing NTFS permissions with the Get-ACL
command.
View NTFS Permissions With Get-ACL
in PowerShell
An access control list (or ACL) is a list of access control entries (ACE) wherein each list contains an ACE that identifies a trustee and specifies access rights.
A securable object’s security descriptor can be one of two types: DACL or SACL. A DACL identifies the users and groups allowed or denied access, while a SACL controls access.
PowerShell allows us to quickly view NTFS permissions using the Get-ACL
cmdlet. We will learn how to use the cmdlet to view NTFS permissions for a file or folder in the following sections.
Display NTFS Permissions in PowerShell
Traditionally, we would view an ACL by right-clicking on a folder, clicking on Properties
, selecting the Security
tab, and clicking the Advanced
button. We can see an example of how the GUI displays permissions below.
The following examples in this article assign a path to the variable $dir
.
Example Code:
$dir = "C:\Windows\Temp"
Get-Acl -Path $dir
Output:
Path Owner Access
---- ----- ------
Temp DESKTOP-7GI1260\KentMarion BUILTIN\Administrators Allow FullControl...
However, running the Get-Acl
command with the -Path
parameter will only display and output the Access Control List on the folder level. What if we wanted to check the Access Control List on the file level?
Get ACL on Files Recursively in PowerShell
One of the advantageous functions of PowerShell is the use of the Pipeline. PowerShell pipelines combine a series of several commands using a pipeline operator (|
).
We can use the pipeline method to get the Access Control List on the file level.
We need to use the command Get-ChildItem
to achieve this scenario. The Get-ChildItem
command fetches all files and folders inside a directory.
Let us use our previous $dir
variable as an example.
Example Code:
$dir = "C:\Windows\Temp"
Get-ChildItem $dir -Recurse | Get-Acl | Format-List | Out-File "C:\PS\output.txt"
In the example above, the -Recurse
switch parameter is important to loop through all the files and perform the Get-Acl
command. By doing the snippet above, we will be able to get all of the access control list permissions of all files in the Temp
folder.
It is also suggested to use the Out-File
command to export all details under one text file, especially if you have many files in your targeted folder.
Marion specializes in anything Microsoft-related and always tries to work and apply code in an IT infrastructure.
LinkedIn