Forum Discussion
Modifying NTFS Permissions Using the NTFSSecurity Module
Hi All,
I am hoping someone can help me crack this issue.
I have been tasked with changing the Access Rights on millions of files and folders for each user/group that has access to them currently. These will be set to Read,Execute,Delete as the highest access permissions granted. Anything less than that like List or Traverse will left as is.
This I can do ok with 'where-object' etc.
I am using the NTFSSecurity PowerShell module.
My biggest issue is that when I use Get-NTFSAccess -Path \\Folder\I\am\Checking and output to the console or OGV, I get the following headers.
Account Access Rights Applies to Type IsInherited InheritedFrom
Contoso\TestAccount1 FullControl ThisFolderSubfoldersAndFiles Allow False
Contoso\TestAccount2 Modify, Synchronize ThisFolderOnly Allow False
Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False
However, if I export to csv, I get the following headers.
AccountType, Name, FullName, InheritanceEnabled, InheritedFrom, AccessControlType, AccessRights, Account, InheritanceFlags, IsInherited, PropagationFlags
I know the InheritanceFlags refer to the Access Rights, but is it possible when using Add-NTFSAccess
to read the InheritanceFlags values as I am doing with the other values and set them so that the
“applies to this folder only, this folder and files, List”, etc are not changed from their current settings.
So, this:
AccessControlType AccessRights Account InheritanceFlags IsInherited PropagationFlags
Allow FullControl Contoso\TestAccount1 ContainerInherit, ObjectInherit FALSE None
Allow Modify, Synchronize Contoso\TestAccount2 ObjectInherit FALSE None
Allow Traverse Contoso\TestAccount3 ContainerInherit FALSE None
Would become this:
AccessControlType AccessRights Account InheritanceFlags IsInherited PropagationFlags
Allow Delete, ReadAndExecute, Synchronize Contoso\TestAccount1 ContainerInherit, ObjectInherit FALSE None
Allow Delete, ReadAndExecute, Synchronize Contoso\TestAccount2 ObjectInherit FALSE None
Allow Traverse Contoso\TestAccount3 ContainerInherit FALSE None
Or This:
Account Access Rights Applies to Type IsInherited InheritedFrom
Contoso\TestAccount1 Delete, ReadAndExecute, Synchronize ThisFolderSubfoldersAndFiles Allow False
Contoso\TestAccount2 Delete, ReadAndExecute, Synchronize ThisFolderOnly Allow False
Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False
And the "Applies to" settings would not change.
If I create variables from the csv for each value required
At the moment when I run the script that includes Add-NTFSAccess -Path $Fullname -Account $Account -AccessRights 'ReadAndExecute,Delete' -AccessType Allow -InheritanceFlags $InheritanceFlags
Everything is set to ThisFolderSubFoldersAndFiles.
If I could use the -AppliesTo instead of -InheritanceFlags and feed in exactly what is already present when displaying get-NTFSAccess in the console or OGV, I think this would resolve 99% of my issues.
I have looked at apps like NTFS Permission Reporter, but I am sure this should be achievable with PS.
I know there must be a simple solution, (Arrays, iCacls?) but I just cannot see how to do it.
Any help would be awesome!
Hi MoZZa
I tried The NTFSSecurity Module, but it seems that there still some missing features in it such as Set-NTFSAccess, or maybe I did not see it.
anyway.
I wrote a code that will do the following
will read the permission from the folder to a variable, set change the value in the variable (it was hardcoded), and then apply these settings to the folder back, this will not change the Apply to scope, and the only thing that should change is the permission only and nothing else
anyway
i did the test on my lab and its a small scope, try it from your side and let me know
below are some pictures of the result, Oh, did I forget to tell you that i did not use the NTFSSecurity module.
Before the Script
After the Script
$acl=Get-Acl -Path C:\MyTestFolder foreach ($singleACL in ($acl.Access | where {($_.FileSystemRights -like "*FullControl*") -and ($_.IsInherited -like $false)})){ $FileSystemRights=@("ReadData, Delete, Synchronize") $AccessControlType=$singleACL.AccessControlType $IdentityReference=$singleACL.IdentityReference $InheritanceFlags=$singleACL.InheritanceFlags $PropagationFlags=$singleACL.PropagationFlags $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference, $FileSystemRights,$InheritanceFlags, $PropagationFlags, $AccessControlType) # This folder only $acl.SetAccessRule($rule) Set-Acl -Path C:\MyTestFolder -AclObject $acl }Try the script, and let me know
and I hope I understand the requirement correct (sometime my bad English fails me
)----------------
If this answer helped, please click on best Response and give like 🙂
Take a look on this post.
https://stackoverflow.com/questions/37013298/powershell-acls-apply-to-this-folder-only
They have an example of how you can add a ACL entry and set it to Apply only to this Folder.
I did not work with the NTFS Security module, and usually like to do things without any module.
So maybe the thing you are asking is not implemented, did you check the documentation to see if its an existing feature ?
Hi farismalaeb ,
Thank you for your reply. I can set the folders to the various options, but what I really trying to achieve is to read the current ACL Rule, reading them directly from a variable/array or csv
Account
Access Rights
Applies to
Type
IsInherited
InheritedFrom
Contoso\TestAccount1
FullControl
ThisFolderSubfoldersAndFiles
Allow
False
Contoso\TestAccount2
Modify, Synchronize
ThisFolderOnly
Allow
False
Contoso\TestAccount3
Traverse
ThisFolderAndFiles
Allow
False
Modify any Access rights with the ability to create or modify existing files/folders and set them to ReadandExecute,Delete. BUT not to change the Applies To values, but read them straight from the existing variable/array or csv and but to reapply them exactly as they were prior to changing the Access Rights.
eg
Account
Access Rights
Applies to
Type
IsInherited
InheritedFrom
Contoso\TestAccount1
ReadAndExecute,Delete
ThisFolderSubfoldersAndFiles
Allow
False
Contoso\TestAccount2
ReadAndExecute,Delete
ThisFolderOnly
Allow
False
Contoso\TestAccount3
Traverse
ThisFolderAndFiles
Allow
False
Hope that makes it a little clearer, I basically want to feed back into the ACL rule exactly what is there, but only modify the level of access rights.
Kind Regards
MoZZa
Hi MoZZa
I tried The NTFSSecurity Module, but it seems that there still some missing features in it such as Set-NTFSAccess, or maybe I did not see it.
anyway.
I wrote a code that will do the following
will read the permission from the folder to a variable, set change the value in the variable (it was hardcoded), and then apply these settings to the folder back, this will not change the Apply to scope, and the only thing that should change is the permission only and nothing else
anyway
i did the test on my lab and its a small scope, try it from your side and let me know
below are some pictures of the result, Oh, did I forget to tell you that i did not use the NTFSSecurity module.
Before the Script
After the Script
$acl=Get-Acl -Path C:\MyTestFolder foreach ($singleACL in ($acl.Access | where {($_.FileSystemRights -like "*FullControl*") -and ($_.IsInherited -like $false)})){ $FileSystemRights=@("ReadData, Delete, Synchronize") $AccessControlType=$singleACL.AccessControlType $IdentityReference=$singleACL.IdentityReference $InheritanceFlags=$singleACL.InheritanceFlags $PropagationFlags=$singleACL.PropagationFlags $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference, $FileSystemRights,$InheritanceFlags, $PropagationFlags, $AccessControlType) # This folder only $acl.SetAccessRule($rule) Set-Acl -Path C:\MyTestFolder -AclObject $acl }Try the script, and let me know
and I hope I understand the requirement correct (sometime my bad English fails me
)----------------
If this answer helped, please click on best Response and give like 🙂
