2

Get NTFS Access Permissions using NTFSSecurity Module

I have to say Get NTFS Access Permissions and the NTFSSecurity Module is probably one of the best things since sliced bread. Natively, Powershell doesn’t offer a very good solution for checking NTFS permissions so author Raimund Andrée came up with the NTFSSecurity Module to allow for easy security transactions within your environment.

How to Download and Use the NTFSSecurity Module

In order to use this incredible and powerful module head on over to the TechNet repository and download the NTFSSecurity Module. Once you have the module downloaded and extracted to a location on your computer:

  • Copy the NTFSSecurity folder to C:\Windows\System32\WindowsPowerShell\v1.0\Modules

Import-Module to Modules Directory

 

  • Open Powershell and type in the following:
#Importing the NTFSSecurity Module
Import-Module NTFSSecurity

#Getting all the commands associated with the NTFSSecurity module
Get-Command -Module NTFSSecurity

Get-Command -Module NTFSSecurity

 

  • Check file or folder permissions by doing the following:
  • I like to check effective permissions because it shows if the user has access to a folder even if it’s not explicitly added by the username.

$Path = 'E:\Linux ISOs\'
Get-ChildItem -Path $Path -Recurse -Directory | Get-NTFSEffectiveAccess -Account 'AD\pcontreras' | select Account, AccessControlType, AccessRights, FullName

Get-NTFSEffectiveAccess -Account Username

Change Directory Owner Recursively In Powershell

Say the permissions structure was fubar’d beyond belief and we wanted to start fixing it by taking over owner permissions and working our way down the file system. With the Set-NTFSOwner cmdlet we could definitely do that with ease. Here’s how!


$Path = 'E:\Linux ISOs\'

#We'll start off by getting current owner permissions to see what's going on.
Get-ChildItem -Path $Path -Recurse -Directory | Get-NTFSOwner

Item                 Owner
----                 -----
E:\Linux ISOs\CentOS AD\pcontreras
E:\Linux ISOs\Redhat AD\pcontreras


#Next we'll change the owner permissions to the built-in Administrators of the machine.
Get-ChildItem -Path $Path -Recurse -Directory | Set-NTFSOwner -Account Administrators

#Checking to see if the new owner permissions were set properly.
Get-ChildItem -Path $Path -Recurse -Directory | Get-NTFSOwner

Item                 Owner
----                 -----
E:\Linux ISOs\CentOS BUILTIN\Administrators
E:\Linux ISOs\Redhat BUILTIN\Administrators


#Just for grins we'll set the owner back to pcontreras 
Get-ChildItem -Path $Path -Recurse -Directory | Set-NTFSOwner -Account 'AD\pcontreras'

#Checking once again to see if the permissions were set properly.
Get-ChildItem -Path $Path -Recurse -Directory | Get-NTFSOwner


Item                 Owner
----                 -----
E:\Linux ISOs\CentOS AD\pcontreras
E:\Linux ISOs\Redhat AD\pcontreras

Set-NTFSOwner -Account Administrators

 

Adding NTFS Permissions to a file or folder using Powershell


$Path = 'E:\Linux ISOs\'

#Adding username Djones full control rights to the Linux ISOs folder.
Add-NTFSAccess -Path $Path -Account "AD\DJones" -AccessRights FullControl -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles

Hopefully this article of how to get NTFS access permissions was useful for you hopefully it saved you a lot of time with regards to permissions. I know it helped save me a ton a time when I had to weed through permissions.

Also, don’t forget to check out our Youtube Channel for more awesome Sysadmin content, especially if you’re more of a visual leaner, you will love what we got going on over there.

5/5 - (21 votes)

Paul Contreras

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.

2 Comments

  1. Trying to figure out a script that will create an AD group then possibly create a folder on fileshare and set the permissions on an ACL.

  2. How to add ACL for USER2 like has USER1 recursive.
    Get-ChildItem c:\TEMP -recurse -Force | where-object {($_.PsIsContainer)} | Get-NTFSAccess –ExcludeInherited -Account AD\USER1
    and what next?
    I need to add user to in this paths

Leave a Reply

Your email address will not be published.