Configuring NTFS permissions using PowerShell

Configuring NTFS permissions is something that you can do using your Windows Explorer, Server Manager, or by using command-line tools like subinacl.exe or icacls.exe. In this blog post, I will show you how to set NTFS permissions in two different ways using PowerShell 🙂

Built-in cmdlets

PowerShell has two ACL cmdlets for retrieving and setting NTFS permissions, Get-Acl and Set-Acl.

Get-Acl

When using Get-Acl with the -Path parameter to specify the folder or file you want to check the permissions of, it will look like this:

C:\Users\HarmVeenstra> Get-Acl -Path C:\Windows\ | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\
Owner  : NT SERVICE\TrustedInstaller
Group  : NT SERVICE\TrustedInstaller
Access : CREATOR OWNER Allow  268435456
         NT AUTHORITY\SYSTEM Allow  268435456
         NT AUTHORITY\SYSTEM Allow  Modify, Synchronize
         BUILTIN\Administrators Allow  268435456
         BUILTIN\Administrators Allow  Modify, Synchronize
         BUILTIN\Users Allow  -1610612736
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         NT SERVICE\TrustedInstaller Allow  268435456
         NT SERVICE\TrustedInstaller Allow  FullControl
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  -1610612736
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  -1610612736
Audit  :
Sddl   : O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GA;;;SY)(A;;0x1301bf
         ;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1301bf;;;BA)(A;OICIIO;GXGR;;;BU)(A;;0x1200a9;;;BU)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;FA;;;S-1-5-80-9560088
         85-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;GXGR;;;S-1-15-2-2)

It will show the Owner, Group, and individual permissions of the file or folder. The numbers 268435456, -536805376, and -1610612736 indicate this:

NumberAccess
268435456 FullControl
-536805376Modify, Synchronize
-1610612736ReadAndExecute, Synchronize

The Sddl (Security Descriptor Definition Language) details can be found here.

You can also show the Access Permissions in more detail using (Get-Acl -Path c:\windows\).Access

C:\Users\HarmVeenstra> (Get-Acl -Path C:\Windows\).Access

FileSystemRights  : 268435456
AccessControlType : Allow
IdentityReference : CREATOR OWNER
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : 268435456
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : 268435456
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

More (advanced) examples can be found here.

Set-Acl

The Set-Acl cmdlet can be used to set permissions on files or folders. The nice thing about it is that you can copy/paste permission. In the example below, I copy the permissions from the d:\Test1 folder and set them on the d:\Test2 folder. First, I retrieve the permissions using Get-Acl, store them in the $permissions object, and set them using Set-Acl on the newly created D:\Test2 folder.

C:\Users\HarmVeenstra> (Get-Acl -Path D:\Test1).Access

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : Everyone
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None


C:\Users\HarmVeenstra> (Get-Acl -Path D:\Test2).Access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : Everyone
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None


C:\Users\HarmVeenstra> $permissions=Get-Acl d:\Test1
C:\Users\HarmVeenstra> Set-Acl -Path D:\Test2\ -AclObject $permissions


C:\Users\HarmVeenstra> (Get-Acl -Path D:\Test2).Access

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : Everyone
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

More (advanced) examples can be found here.

NTFSSecurity PowerShell module

You can also use the NTFSSecurity module (Install it using Install-Module -Name NTFSSecurity). This module is made and maintained by Raimund Andrée  (https://github.com/raandree). This module contains the following cmdlets that you can use to view and set NTFS permissions.

Note: The module has not been updated in years, it still works but no bugfixes/improvements

Add-NTFSAccess
Add-NTFSAudit
Clear-NTFSAccess
Clear-NTFSAudit
Copy-Item2
Disable-NTFSAccessInheritance
Disable-NTFSAuditInheritance
Disable-Privileges
Enable-NTFSAccessInheritance
Enable-NTFSAuditInheritance
Enable-Privileges
Get-ChildItem2
Get-DiskSpace
Get-FileHash2
Get-Item2
Get-NTFSAccess
Get-NTFSAudit
Get-NTFSEffectiveAccess
Get-NTFSHardLink
Get-NTFSInheritance
Get-NTFSOrphanedAccess
Get-NTFSOrphanedAudit
Get-NTFSOwner
Get-NTFSSecurityDescriptor
Get-NTFSSimpleAccess
Get-Privileges
Move-Item2
New-NTFSHardLink
New-NTFSSymbolicLink
Remove-Item2
Remove-NTFSAccess
Remove-NTFSAudit
Set-NTFSInheritance
Set-NTFSOwner
Set-NTFSSecurityDescriptor
Test-Path2

To show the permissions of a file or folder, you can use it like the example below:

C:\Users\HarmVeenstra> Get-NTFSAccess -Path c:\windows | Format-Table -AutoSize

    Path: c:\windows (Inheritance disabled)


Account                                                           Access Rights               Applies to             Type  IsInherited InheritedFrom
-------                                                           -------------               ----------             ----  ----------- -------------
CREATOR OWNER                                                     GenericAll                  SubfoldersAndFilesOnly Allow False
NT AUTHORITY\SYSTEM                                               GenericAll                  SubfoldersAndFilesOnly Allow False
NT AUTHORITY\SYSTEM                                               Modify, Synchronize         ThisFolderOnly         Allow False
BUILTIN\Administrators                                            GenericAll                  SubfoldersAndFilesOnly Allow False
BUILTIN\Administrators                                            Modify, Synchronize         ThisFolderOnly         Allow False
BUILTIN\Users                                                     GenericExecute, GenericRead SubfoldersAndFilesOnly Allow False
BUILTIN\Users                                                     ReadAndExecute, Synchronize ThisFolderOnly         Allow False
NT SERVICE\TrustedInstaller                                       GenericAll                  SubfoldersOnly         Allow False
NT SERVICE\TrustedInstaller                                       FullControl                 ThisFolderOnly         Allow False
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES            ReadAndExecute, Synchronize ThisFolderOnly         Allow False
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES            GenericExecute, GenericRead SubfoldersAndFilesOnly Allow False
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES ReadAndExecute, Synchronize ThisFolderOnly         Allow False
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES GenericExecute, GenericRead SubfoldersAndFilesOnly Allow False

To set the permissions on a file or folder, you can use it like the example below: (Same as my Set-Acl example, copy NTFS permissions in an object and set it on the desired file or folder.

Note: Set-ACL copies the Inheritance flag by default. With the NTFSSecurity cmdlet, you will need to remove the Inheritance Flag first if needed (As I also did in the example below)

C:\Users\HarmVeenstra> Get-NTFSAccess -Path D:\Test1

    Path: D:\Test1 (Inheritance disabled)


Account                             Access Rights                                          Applies to                Type                                                   IsInherited                                           InheritedFrom
-------                             -------------                                          ----------                ----                                                   -----------                                           -------------
Everyone                            ReadAndExecute, Synchronize                            ThisFolderSubfoldersAndF… Allow                                                  False
NT AUTHORITY\SYSTEM                 FullControl                                            ThisFolderSubfoldersAndF… Allow                                                  False
BUILTIN\Administrators              FullControl                                            ThisFolderSubfoldersAndF… Allow                                                  False

C:\Users\HarmVeenstra> Get-NTFSAccess -Path D:\Test2

    Path: D:\Test2 (Inheritance enabled)


Account                             Access Rights                                          Applies to                Type                                                   IsInherited                                           InheritedFrom
-------                             -------------                                          ----------                ----                                                   -----------                                           -------------
Everyone                            FullControl                                            ThisFolderSubfoldersAndF… Allow                                                  True                                                  D:

C:\Users\HarmVeenstra> Disable-NTFSAccessInheritance d:\Test2
C:\Users\HarmVeenstra> Get-NTFSAccess -Path d:\test1 | Add-NTFSAccess D:\Test2


C:\Users\HarmVeenstra> Get-NTFSAccess -Path d:\Test2

    Path: d:\Test2 (Inheritance disabled)


Account                             Access Rights                                          Applies to                Type                                                   IsInherited                                           InheritedFrom
-------                             -------------                                          ----------                ----                                                   -----------                                           -------------
Everyone                            FullControl                                            ThisFolderSubfoldersAndF… Allow                                                  False
NT AUTHORITY\SYSTEM                 FullControl                                            ThisFolderSubfoldersAndF… Allow                                                  False
BUILTIN\Administrators              FullControl                                            ThisFolderSubfoldersAndF… Allow                                                  False

There is a site with good documentation about all the cmdlets of the NTFSecurity module, with excellent examples and detailed instructions. Go and check that out. I think the NTFSSecurity module is the thing you should use when setting (automated) permissions. More flexible than Get-Acl/Set-Acl IMHO 🙂

4 thoughts on “Configuring NTFS permissions using PowerShell

  1. Thanks for this. I did a terabytes of filesystem permissions work last year as part of an enterprise divesture migration and found icacls is orders of magnitude faster than get-acl and set-acl. The pattern we used was to export the source permissions to a file with icacl, munge the file, and then import it on the target. It was crazy fast.

  2. Any idea, how i can uncheck the „delete“ and check the box „delete only lower folders and Files“ in the advanced permissions?

    • “Allow on Subfolders and files only with Read&Execute/List Folder Contents/Read/Only apply these permissions on objects and/or containers within this container” rights?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.