Access Control Lists (ACLs) are used to control access permissions to files and folders on the NTFS file system. On Windows, you can view and change ACLs on file system objects in several ways: from the File Explorer GUI (Security tab in a folder or file properties), or the command line using the icacls tool or PowerShell.
There are two built-in PowerShell cmdlets for managing NTFS permissions:
- Get-Acl — allows you to get the ACL of an NTFS object;
- Set-Acl — allows you to set or change the existing ACL of the file system or registry object.
To list the current ACL of an object on an NTFS file system, run the command:
get-acl c:\docs|fl
The command returns an object of the class System.Security.AccessControl.DirectorySecurity.
Main properties of the AccessControl.DirectorySecurity object:
- Access;
- CentralAccessPolicyId;
- CentralAccessPolicyName;
- Group;
- Owner;
- Path;
- Sddl;
- PSChildName;
- PSDrive;
- PSParentPath;
- PSPath;
- PSProvider;
- AccessRightType;
- AccessRuleType;
- AreAccessRulesCanonical;
- AreAccessRulesProtected;
- AreAuditRulesCanonical;
- AreAuditRulesProtected;
- AuditRuleType;
- AccessToString;
- AuditToString.
You can access any of these properties. For example, get the owner of a folder:
get-acl c:\docs |Select-Object Owner
or:
$owner= (get-acl c:\docs).owner
List only the current folder’s ACL:
(Get-ACL -Path "C:\Docs\").access | Format-Table -AutoSize
You can get the ACL of not only a local but also a shared network folder by its UNC path:
Get-ACL -Path "\\NYFS1\Public\Docs\" | fl
To copy an ACL from one folder and apply it to another, use the following PowerShell commands:
$acl = Get-ACL -Path "C:\Docs\" $acl | Set-Acl -Path "C:\Docs_new"
If you want to change the current ACL of a folder and add access permission for a new user or group, you first need to create an object of the FileSystemAccessRule class.
New-Object Security.AccessControl.FileSystemAccessRule('IdentityReference\String','FileSystemRights','InheritanceFlags, PropagationFlags','AccessControlType')
Let’s take a closer look at these options:
- IdentityReference\String — user or group name (use the following principal format: theitbros\bjackson)
- FileSystemRights — permission (for example, Read , Write , etc.)
- InheritanceFlags and PropagationFlags – these flags determine permission inheritance settings from the parent folder (more details about ACL propagation are described in the Microsoft documentation https://docs.microsoft.com/en-us/previous-versions/ms229747(v=vs.110)?redirectedfrom=MSDN)
- AccessControlType — allow or deny access to an object (Allow/Deny)
For example, you want to grant theitbros\bjackson user read access permission to the C:\Docs folder. Use these PowerShell commands:
# get current NTFS permissions
$current_acl = Get-ACL -Path "C:\Docs"
# create an object with new NTFS permissions
$new_acl = New-Object System.Security.AccessControl.FileSystemAccessRule('THEITBROS\bjackson', 'Read', 'ContainerInherit, ObjectInherit', 'None', 'Allow')
# add new permissions to the current ACL
$current_acl.AddAccessRule($new_acl)
# Apply an ACL to a folder
Set-ACL -Path "C:\Docs" -ACLObject $current_acl
Similarly, you can remove permissions for a specific group or user. To do this, use the RemoveAccessRuleAll method:
$current_acl = Get-ACL -Path "C:\Docs"
$new_acl = New-Object System.Security.AccessControl.FileSystemAccessRule('THEITBROS\bjackson', 'Read', 'ContainerInherit, ObjectInherit', 'None', 'Allow')
$current_acl.RemoveAccessRuleAll ($new_acl)
Set-ACL -Path "C:\Docs" -ACLObject $current_acl
To change the owner of an NTFS object, use the SetOwner method. The account or group you want to assign as an owner is specified using its SID:
$current_acl = Get-ACL -Path "C:\Docs"
$usr_sid = New-Object System.Security.Principal.Ntaccount('THEITBROS\bjackson')
$current_acl.SetOwner($user_sid)
Set-Acl -Path "C:\Docs" -ACLObject $current_acl
Hint. You can also take file or folder ownership using the takeown command.
To enable folder permission inheritance and replace all current ACLs with parent ones:
$current_acl.SetAccessRuleProtection($false,$true) Set-Acl -Path "C:\Folder1\OneMoreFolder" -ACLObject $current_acl
The SetAccessRuleProtection method accepts two Boolean arguments:
- isProtected — determines whether it is necessary to block inheritance from the parent folder;
- preserveInheritance — is it need to rewrite permissions.
