Managing NTFS permissions and ACL’s with PowerShell

We’ll start with inheritance. Sometimes (when creating folder for roaming profiles) we need to disable inheritance in order to avoid users to access other user’s folders.

$acl = Get-Item $dir |get-acl
$acl.SetAccessRuleProtection($true,$true)
$acl |Set-Acl

First,we export ACL’s to variable,then in SetAccessRuleProtection($true,$true)

In this article I actually managing permissions. The first parameter enables ($true) or disables ($false) inheritance while the second one manages Access Control Entries (ACE), ($true-keep current ACE’s, $false-remove them and start with new ones) and third line simply applies our decisions.

Setting NTFS permissions

To set NTFS permissions, we need first install File System Security PowerShell Module.

To see the current NTFS permissions type for example:

Get-Item "c:\Lex" | Get-NTFSAccess

To set permissions we need to type for example:

Add-NTFSAccess -Path C:\Lex -Account "example\Authenticated Users" -AccessRights Fullcontrol

For removing permissions type for example:

Remove-NTFSAccess -Path "c:\Lex" -Account "example\domain users" -AccessRights FullControl

Inherited permissions cannot be removed

To remove all NTFS permissions for an account:

Get-ChildItem -Path c:\1 -Recurse | Get-NTFSAccess -Account "example\test group" -ExcludeInherited | Remove-NTFSAccess

Get-ChildItem with -recurse switch procesess files and folders recursively.

Setting ACE permissions

Flag combinations can be found on: microsoft site: https://msdn.microsoft.com/en-us/library/ms229747%28v=vs.110%29.aspx

From this table we can combine flags and apply them to folders, sub folders or files.

For example to set ACE’s to full control for Folder (folder test has no subfolders):

$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags] "ContainerInherit, none"
$PropagationFlags=[System.Security.AccessControl.PropagationFlags] "None"

$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights] "FullControl"

$acl=get-acl c:\Lex
$AccessRule=NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule("test group",$FileSystemAccessRights,$InheritanceFlags,$PropagationFlags,$AccessControl)
$Acl | set-acl c:\Lex
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s