How to Manage ACL Permissions Using PowerShell

  2. HowTo
  3. PowerShell Howtos
  4. How to Manage ACL Permissions Using …
Marion Paul Kenneth Mendoza Feb 02, 2024
PowerShell PowerShell ACL Permission
  1. NTFS Permission Types in PowerShell
  2. Use the Get-Acl Command to Get ACL for Folders and Files in PowerShell
  3. Use the Set-Acl Command to Set ACL for Files and Folders in PowerShell
  4. Use the -RemoveAccessRule Parameter to Remove User Permissions in PowerShell
  5. Disable or Enable Permission Inheritance in PowerShell
  6. Use the SetOwner Method to Change File and Folder Ownership in PowerShell
How to Manage ACL Permissions Using PowerShell

System administrators configure NTFS access control lists ACLs by adding access control entries ACEs on NTFS files servers to implement a least-privilege model.

This article will learn the different permission types and how to query, modify, and remove ACL on files and folders using PowerShell.

NTFS Permission Types in PowerShell

There are both advanced and basic NTFS permissions. For example, you can set each permission to Deny or Allow.

  • Full Control: Users with this permission can modify, add, move and delete files and directories, as well as their associated properties. In addition, the users with this permission can change permissions settings for all subdirectories and files.
  • Modify: Users with this permission can view and modify files and file properties, including adding and deleting files to a directory or file properties to a file.
  • Read & Execute: Users with this permission can run executable files, including scripts.
  • Read: Users can view files, file properties, and directories with this permission.
  • Write: Users with this permission can write to a file and add files to directories.

Here is the list of advanced permissions:

  • Traverse Folder or Execute File: Users with this advanced permission can navigate through folders to reach other folders or files, even if they have no permissions for these files or folders. Users with this advanced permission can also run executable files. The Traverse Folder permission takes effect when the user or group doesn’t have the Bypass Traverse Checking right in the Group Policy snap-in.
  • List Folder or Read Data: Users with this advanced permission can view a list of files and subfolders within the folder and the content of the files.
  • Read Attributes: Users with this advanced permission can view the attributes of a folder or file, such as whether it is hidden or read-only.
  • Write Attributes: Users with this advanced permission can change the attributes of a file or folder.
  • Read Extended Attributes: Users with this advanced permission can view the extended attributes of a folder or file, such as permissions and creation and modification times.
  • Write Extended Attributes: Users with this advanced permission can change the extended attributes of a folder or file.
  • Create Files or Write Data: The Create Files permission will allow users to create files within the folder with this advanced permission. This permission applies to folders only. The Write Data permission will enable users with this advanced permission to change the file and overwrite existing content. This permission only applies to files.
  • Create Folders or Append Data: The Create Folders permission allows users to create folders within a folder with this advanced permission. This permission applies to folders only. The Append Data permission will enable users with this advanced permission to make changes to the end of the file, but they cannot change, overwrite, or delete existing data. This permission only applies to files.
  • Delete: Users with this advanced permission can delete the folder or file. If users do not have the Delete permission on a folder or file, they can still delete an object if they have the Delete Subfolders And Files permission on the parent folder.
  • Read Permissions: Users with this advanced permission can read the permissions of a folder or file, such as Full Control, Read, and Write.
  • Change Permissions: Users with this advanced permission can change the permissions of a file or folder.
  • Take Ownership: Users with this advanced permission can take ownership of the file or folder. The file or folder owner can always change its permissions, regardless of any existing permissions that protect the file or folder.
  • Synchronize: Users with this advanced permission can use the object for synchronization. This permission will enable a thread to wait until the object is in the signaled state. This permission is not presented in ACL Editor.

We can find all information on these user permissions by running the following PowerShell script below:

[System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights])

The NTFS permissions can be either explicit or inherited. Explicit permissions are configured individually, while inherited permissions are inherited from the parent folder.

The hierarchy for permissions is as follows:

  • Explicit Deny
  • Explicit Allow
  • Inherited Deny
  • Inherited Allow

Use the Get-Acl Command to Get ACL for Folders and Files in PowerShell

The first PowerShell command used to manage file and folder permissions is Get-Acl; it lists all object permissions.

Get-Acl \\fs1\shared\hr | fl

A user must own both the target and source folders to copy permissions.

Get-Acl \\fs1\shared\hr | Set-Acl \\fs1\shared\hr

Use the Set-Acl Command to Set ACL for Files and Folders in PowerShell

The PowerShell Set-Acl command is used to change the security descriptor of a specified item, such as a file, folder, or registry key; in other words, it is used to modify file or folder permissions.

$acl = Get-Acl \\fs1\shared\hr

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\User01", "FullControl", "Allow")

$acl.SetAccessRule($AccessRule)

$acl | Set-Acl \\fs1\shared\hr

Use the -RemoveAccessRule Parameter to Remove User Permissions in PowerShell

$acl = Get-Acl \\fs1\shared\hr

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\User01", "FullControl", "Allow")

$acl.RemoveAccessRule($AccessRule)

$acl | Set-Acl \\fs1\shared\hr

Disable or Enable Permission Inheritance in PowerShell

To manage an inheritance, we can use the SetAccessRuleProtection method. The method has two parameters:

  • The first parameter is responsible for blocking inheritance from the parent folder. It returns Boolean states: $true and $false.
  • The second parameter is used whether the current inherited permissions are removed or retained. It also returns Boolean states: $true and $false.
$acl = Get-Acl \\fs1\shared\hr

$acl.SetAccessRuleProtection($true, $false)

$acl | Set-Acl \\fs1\shared\hr

Let’s revert this change and enable inheritance for the folder again:

$acl = Get-Acl \\fs1\shared\hr

$acl.SetAccessRuleProtection($false, $true)

$acl | Set-Acl \\fs1\shared\hr

Use the SetOwner Method to Change File and Folder Ownership in PowerShell

If we want to set an owner for a folder, you need to run the SetOwner method.

$acl = Get-Acl \\fs1\shared\hr

$object = New-Object System.Security.Principal.Ntaccount("ENTERPRISE\User01")

$acl.SetOwner($object)

$acl | Set-Acl \\fs1\shared\hr
Author: Marion Paul Kenneth Mendoza
Marion Paul Kenneth Mendoza avatar Marion Paul Kenneth Mendoza avatar

Marion specializes in anything Microsoft-related and always tries to work and apply code in an IT infrastructure.

LinkedIn