Manage permissions NTFS in PowerShell with NTFSSecurity [Quick Guide]

8:41 pm January 5, 201711101

I. introduction

to date, the management of the ACLs on a System NTFS file in PowerShell , through the native commandlets is clearly not a gift! This is why today I turn to the excellent “NTFSSecurity” module that offers a multitude of commandlets for NTFS security management.

For my part, I also use for several years now the tool command-line “SetACL” whose author is Helge Klein, but the syntax is not always clear… Let’s say that you have the doc under the elbow when we are back in.

Using this PowerShell module, we benefits from the AutoComplete and the usual logic in the use of the commandlets.

II. the module NTFSSecurity

to begin this tutorial, we’re going to install the module. To do this, open a PS console and run this command:

 Install - Module NTFSSecurity 

like this:

powershell-ntfssecurity-1

once the installation is finished, let’s list the commandlets contained in this module:

 PS C:Partage > Get-Command - CommandType Name Source Version NTFSSecurity Module - - --Cmdlet Add-NTFSAccess 4.2.3 NTFSSecurity Cmdlet Add-NTFSAudit 4.2.3 NTFSSecurity Cmdlet Clear-NTFSAccess 4.2.3 NTFSSecurity Cmdlet Clear-NTFSAudit 4.2.3 NTFSSecurity Cmdlet Copy-Item2 4.2.3 NTFS Security Cmdlet Disable-NTFSAccessInheritance 4.2.3 NTFSSecurity Cmdlet Disable-NTFSAuditInheritance 4.2.3 NTFSSecurity Cmdlet Disable-Privileges 4.2.3 NTFSSecurity Cmdlet Enable-NTFSAccessInheritance 4.2.3 NTFSSecurity Cmdlet Enable-NTFSAuditInheritance 4.2.3 NTFSSecurity Cmdlet Enable-Privileges 4.2.3 NTFSSecurity Cmdlet Get-ChildItem2 4.2.3 NTFSSecurity Cmdlet Get-DiskSpace 4.2.3 NTFSSecurity Cmdlet Get-FileHash2 4.2.3 NTFSSecurity Cmdlet Get-Item2 4.2.3 NTFSSecurity Cmdlet Get-NTFSAccess 4.2.3 NTF SSecurity Cmdlet Get-NTFSAudit 4.2.3 NTFSSecurity Cmdlet Get-NTFSEffectiveAccess 4.2.3 NTFSSecurity Cmdlet Get-NTFSHardLink 4.2.3 NTFSSecurity Cmdlet Get-NTFSInheritance 4.2.3 NTFSSecurity Cmdlet Get-NTFSOrphanedAccess 4.2.3 NTFSSecurity Cmdlet Get-NTFSOrphanedAudit 4.2.3 NTFSSecurity Cmdlet Get-NTFSOwner 4.2.3 NTFSSecurity Cmdlet Get-NTFSSecurityDescriptor 4.2.3 NTFSSecurity Cmdlet Get-NTFSSimpleAccess 4.2.3 NTFSSecurity Cmdlet Get-NTFSSecurity Cmdlet Move-Item2 4.2.3 NT 4.2.3 Privileges FSSecurity Cmdlet New-NTFSHardLink 4.2.3 NTFSSecurity Cmdlet New-NTFSSymbolicLink 4.2.3 NTFSSecurity Cmdlet Remove-Item2 4.2.3 NTFSSecurity Cmdlet Remove-NTFSAccess 4.2.3 NTFSSecurity Cmdlet Remove-NTFSAudit 4.2.3 NTFSSecurity Cmdlet Set-NTFSInheritance 4.2.3 NTFSSecurity Cmdlet Set-NTFSOwner 4.2.3 NTFSSecurity Cmdlet Set-NTFSSecurityDescriptor 4.2.3 NTFSSecurity Cmdlet Test-Path2 4.2.3 NTFSSecurity 

now go through various examples in the use of the NTFSSecurity module.

Page of the module: NTFSSecurity

III. Use of NTFSSecurity

A. Lister permissions NTFS of a directory

simply put, we will use the commandlet ‘Get-NTFSAccess’ with the ‘Path’ parameter that will be set to the target path. Thus, we will display that folder’s NTFS permissions.

 Get-NTFSAccess - Path "C:PartageRessources"

Ce that will give

 PS C:Partage > Get-NTFSAccess - Path "C:PartageRessources" Path: C:PartageRessources (Inheritance enabled) Account Access Rights Applies to Type IsInherited InheritedFrom ------AUTHORITY ntsysteme FullControl ThisFolderSubfoldersAn... " Allow True C: BUILTINAdministrators FullControl ThisFolderSubfoldersAn... Allow True C: builtinUsers ReadAndExec... ThisFolderSubfoldersAn... Allow True C: builtinUsers AppendData ThisFolderAndSubfolders Allow True C: builtinUsers CreateFiles ThisFolderAndSubfolders Allow True CREATOR OWNER GenericAll SubfoldersAndFilesOnly Allow True C: C: 

If you want a nicer view, simply to export in an array, like this:

 Get-NTFSAccess - Path "C:PartageRessources". Out-GridView 

that is the work (at the top the classical result, the result with Out-GridView downstairs):

get-ntfsaccess

Although such classic views proposed by Windows Explorer, there are rights and inheritances on the same table, with a script could even fill in additional fields that would be added as a column to the grid view.

Note: We could do the same thing by targeting a file instead of a folder to display its NTFS permissions. The commandlet allows also to view the permissions of an account in particular or hide inherited permissions.

B. Lister NTFS permissions with recursion

can be listed in a folder and its subfolders NTFS permissions, it will rely on ‘Get-ChildItem’, which is native to PowerShell, then through the pipeline we’ll invoke the Get-NTFSAccess that we used before. Giving:

 C:Partage PS > Get-ChildItem - Path "C:Partage" - Recurse | Get-NTFSAccess Path: C:PartagePpublic (Inheritance enabled) Account Access Rights Applies to Type IsInherited InheritedFrom ------AUTHORITY ntsysteme FullControl ThisFolderSubfoldersAn... Allow True C: BUILTINAdministrators FullControl ThisFolderSubfoldersAn... Allow True C: builtinUsers ReadAndExec... ThisFolderSubfoldersAn... Allow True C: builtinUsers AppendData ThisFolderAndSubfolders Allow True C: builtinUsers CreateFiles ThisFolderAndSubfolders Allow True C: CREATOR OWNER GenericAll SubfoldersAndFilesOnly Allow True C: Path: C:PartageRessources (Inheritance enabled) Account Access Rights Applies to Type IsInherited InheritedFrom ------AUTHORITY ntsysteme FullControl ThisFolderSubfoldersAn... Allow True C: BUILTINAdministrators FullControl ThisFolderSubfoldersAn... Allow True C: builtinUsers ReadAndExec... ThisFolderSubfoldersAn... Allow True C: builtinUsers AppendData ThisFolderAndSubfolders Allow True C: builtinUsers CreateFiles ThisFolderAndSubfolders Allow True CREATOR OWNER GenericAll SubfoldersAndFilesOnly Allow True C: C: 

move on.

C. Add NTFS in PowerShell permissions

permission is added by the commandlet “Add-NTFSAccess”, to which will be added the parameter ‘Path’ to indicate the target path, ‘Account’ to specify one or more target accounts and to add the rights, then the parameter ‘AccessRights’ that indicates the type of right to add (read, write, full control (, the folder view, etc…).

Example: Add permissions on the ‘C:PartagePublic’ folder to the ‘utilisateur01’ of the it domain user – connect.local, so that he can have editing rights:

 Add-NTFSAccess - Path "C:PartagePublic"-"[email protected]" - AccessRights Modify Account 

one can then check in the properties:

ntfssecurity-add-ntfs-permissions

the same thing but for two users:

 Add-NTFSAccess - Path "C:PartagePublic"-"[email protected]" Account , "[email protected]" - AccessRights Modify 

Note also the possibility to use the parameter “-AccessType” with the value “Deny” to add permissions for refusal. By default, this setting is on “Allow” implying that even without him specify the rights are permission.

D. remove permissions NTFS in PowerShell

it is just so interesting to be able to remove NTFS permissions, particularly to implement the specific permissions on a folder or file. The syntax remains the same with the addition of permission, except that use the ‘Remove-NTFSAccess’ commandlet, see for yourself:

 Remove-NTFSAccess - Path "C:PartagePublic"-"[email protected]" - AccessRights Modify Account 

image, here’s an example you will see that it works perfectly:

remove-ntfs-permission

E. Lister effective permissions

to finish on the examples, I’ll show you how we can list the effective permissions on an item in the same way that could do this via the properties of a folder in the Security Advanced.

This is possible with the commandlet ‘ Get-NTFSEffectiveAccess ‘ which must be followed by the target path. If one does not targeted with the parameter ‘Account’ account name, we get the effective permissions for the user that executes the command. Here is an example:

 PS C:UsersAdministrateurDesktop > Get - NTFSEffectiveAccess C:PartagePersonnelutilisateur01 Path: C:PartagePersonnelutilisateur01 (Inheritance disabled) Account Access Rights Applies to Type IsInherited InheritedFrom ------FILESERVER - 01Administrateur FullControl ThisFolderOnly Allow False PS C:UsersAdministrateurDesktop > Get-NTFSEffectiveAccess C:PartagePersonnelutilisateur01 - Account "[email protected]" Path: C:PartagePersonnelutilisateur01 (Inheritance disabled) Account Access Rights Applies to                Type IsInherited InheritedFrom ------FullControl Allow False 

ThisFolderOnly ITCutilisateur01

go to the last part of this tutorial.

IV. Management Script of the rights to personal folder

for the last part of this tutorial, I share with you a little PowerShell script that I write quickly in order to use several commandlets module NTFSSecurity within the same script.

This script generates, for a list of users, a personal directory name of the user on which we then set NTFS permissions: abolition of the inheritance of the permissions (with preservation of the inherited rights), adding full control for the user permissions, set as owner the user concerned, and finally take away the rights of the local group ‘Users’ on the personal folder of the user.

In practice, here’s the script:

 $PersonnelPathRoot = "C:PartagePersonnel" $UsersList = ("utilisateur01", "utilisateur02") foreach($User in $UsersList) {# Creation of the personal file New-Item - ItemType Directory - Path "$PersonnelPathRoot$ User" # Disable legacy while copying permissions inherited NTFS Get-Item "$PersonnelPathRoot$ User" |} {Disable-NTFSAccessInheritance # added permissions NTFS Add-NTFSAccess - Path "$PersonnelPathRoot$ User"-"[email protected]" - AccessRights FullControl Account # change the owner on the record Set-NTFSOwner - Path "$PersonnelPathRoot$ User"-Account "[email protected]" # adding permissions NTFS Remove-NTFSAccess - Path "$PersonnelPathRoot$ User"-Account "Users" - AccessRights FullControl} # foreach($User in $UsersList) 

what will give the following result:

ntfs-security-manage-acl