How to Manage NTFS Permissions Using PowerShell

1. View NTFS Permissions With Get-ACL in PowerShell
2. Display NTFS Permissions in PowerShell
3. Get ACL on Files Recursively in PowerShell

Managing NTFS permissions with a GUI is time-consuming, especially when working with many users or groups. However, specific PowerShell cmdlets can retrieve and assign NTFS permissions.

This article will discuss managing NTFS permissions with the Get-ACL command.

View NTFS Permissions With Get-ACL in PowerShell

An access control list (or ACL) is a list of access control entries (ACE) wherein each list contains an ACE that identifies a trustee and specifies access rights.

A securable object’s security descriptor can be one of two types: DACL or SACL. A DACL identifies the users and groups allowed or denied access, while a SACL controls access.

PowerShell allows us to quickly view NTFS permissions using the Get-ACL cmdlet. We will learn how to use the cmdlet to view NTFS permissions for a file or folder in the following sections.

Display NTFS Permissions in PowerShell

Traditionally, we would view an ACL by right-clicking on a folder, clicking on Properties, selecting the Security tab, and clicking the Advanced button. We can see an example of how the GUI displays permissions below.

The following examples in this article assign a path to the variable $dir.

Example Code:

$dir = "C:\Windows\Temp"
Get-Acl -Path $dir

Output:

Path Owner                      Access
---- -----                      ------
Temp DESKTOP-7GI1260\KentMarion BUILTIN\Administrators Allow  FullControl...

However, running the Get-Acl command with the -Path parameter will only display and output the Access Control List on the folder level. What if we wanted to check the Access Control List on the file level?

Get ACL on Files Recursively in PowerShell

One of the advantageous functions of PowerShell is the use of the Pipeline. PowerShell pipelines combine a series of several commands using a pipeline operator (|).

We can use the pipeline method to get the Access Control List on the file level.

We need to use the command Get-ChildItem to achieve this scenario. The Get-ChildItem command fetches all files and folders inside a directory.

Let us use our previous $dir variable as an example.

Example Code:

$dir = "C:\Windows\Temp"
Get-ChildItem $dir -Recurse | Get-Acl | Format-List | Out-File "C:\PS\output.txt"

In the example above, the -Recurse switch parameter is important to loop through all the files and perform the Get-Acl command. By doing the snippet above, we will be able to get all of the access control list permissions of all files in the Temp folder.

It is also suggested to use the Out-File command to export all details under one text file, especially if you have many files in your targeted folder.