PowerShell

Manage NTFS permissions with Powershell

Managing NTFS permissions via GUI is not a trivial thing. One mistake and a lot of data is shared to wrong person. It gets even harder if you have to create lots of different folders and change their permissions in a special way… Fortunately you can help yourself with PowerShell and automate things a bit. So where is the problem? Well it's not so clear on how to actually achieve simple things like setting new permissions. It took me a moment to figure it out and to simplify things I've created a few support functions that allowed me to control my final script in easy to read manner.

✅ Solution

I've created 3 support functions:

Remove-Permission

function Remove-Permission($StartingDir, $UserOrGroup = "", $All = $false) {
    $acl = get-acl -Path $StartingDir
    if ($UserOrGroup -ne "") {
        foreach ($access in $acl.Access) {
            if ($access.IdentityReference.Value -eq $UserOrGroup) {
                $acl.RemoveAccessRule($access) | Out-Null
            }
        }
    } 
    if ($All -eq $true) {
        foreach ($access in $acl.Access) {
            $acl.RemoveAccessRule($access) | Out-Null
        }

    }
    Set-Acl -Path $folder.FullName -AclObject $acl
}

Set-Inheritance

function Set-Inheritance($StartingDir, $DisableInheritance = $false, $KeepInheritedAcl = $false) {
    $acl = get-acl -Path $StartingDir
    $acl.SetAccessRuleProtection($DisableInheritance, $KeepInheritedAcl)
    $acl | Set-Acl -Path $StartingDir
}

Set-Permission

function Set-Permission($StartingDir, $UserOrGroup = "", $InheritedFolderPermissions = "ContainerInherit, ObjectInherit", $AccessControlType = "Allow", $PropagationFlags = "None", $AclRightsToAssign) {
    ### The possible values for Rights are:
    # ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, Synchronize, FullControl
    # ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes 
    # WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership

    ### Principal expected
    # domain\username 

    ### Inherited folder permissions:
    # Object inherit    - This folder and files. (no inheritance to subfolders)
    # Container inherit - This folder and subfolders.
    # Inherit only      - The ACE does not apply to the current file/directory

    #define a new access rule.
    $acl = Get-Acl -Path $StartingDir
    $perm = $UserOrGroup, $AclRightsToAssign, $InheritedFolderPermissions, $PropagationFlags, $AccessControlType
    $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
    $acl.SetAccessRule($rule)
    set-acl -Path $StartingDir $acl
}

Those 3 little methods are actually really powerful. I had little task where in F:\Shares directory there were user folders. Each folder having same permissions. What was expected is to remove current permissions and set new ones. User (with same name as folder name) had to have Read access, but others required special permissions. Above methods allowed me to easily set inheritance, remove permissions and finally set permissions on NTFS folder and all of the files inside.

Set-StrictMode -Version Latest
Clear-Host
import-module ActiveDirectory
$path = "F:\Shares\PersonalTesting"

function FindAndFixFolders() {
    $folders = Get-ChildItem -Path $path -Directory | Select Name, FullName
    foreach ($folder in $folders) {
        Set-Inheritance $folder.FullName -DisableInheritance $true -KeepInheritedAcl $false
        #Remove-Permission $folder.FullName -UserOrGroup "Domain\srv.pklys"
        #Remove-Permission $folder.FullName -All $true
        Set-Permission $folder.FullName -UserOrGroup "Domain\$($folder.Name)" -AclRightsToAssign "ReadAndExecute"
        Set-Permission $folder.FullName -UserOrGroup "Domain\Domain Admins" -AclRightsToAssign "FullControl"
        Set-Permission $folder.FullName -UserOrGroup "BUILTIN\Administrators" -AclRightsToAssign "FullControl"
        Set-Permission $folder.FullName -UserOrGroup "BUILTIN\Administrators" -AclRightsToAssign "FullControl"
        Set-Permission $folder.FullName -UserOrGroup "SYSTEM" -AclRightsToAssign "FullControl"
        Set-Permission $folder.FullName -UserOrGroup "Domain\domain.pklys" -AclRightsToAssign "FullControl"
        Remove-Permission $folder.FullName -UserOrGroup "BUILTIN\Users"
    }
}

While the code is not complete solution to working with NTFS permissions it should be enough to get things working 🙂 In easy, predictable way.

This post was last modified on June 6, 2025 21:23

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys

Recent Posts

Supercharging Your Network Diagnostics with Globalping for NET

Ever wondered how to run network diagnostics like Ping, Traceroute, or DNS queries from probes…

6 days ago

Automating Network Diagnostics with Globalping PowerShell Module

Are you tired of manually running network diagnostics like Ping, Traceroute, or DNS queries? The…

7 days ago

Enhanced Dashboards with PSWriteHTML – Introducing InfoCards and Density Options

Discover new features in the PSWriteHTML PowerShell module – including New-HTMLInfoCard, improved layout controls with…

2 weeks ago

Mastering Active Directory Hygiene: Automating SIDHistory Cleanup with CleanupMonster

Security Identifier (SID) History is a useful mechanism in Active Directory (AD) migrations. It allows…

2 weeks ago

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

2 weeks ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

2 weeks ago