How to Use Get-Acl and Set-Acl Cmdlets When Managing NTFS Permissions for a File or Folder with PowerShell?

Access Control Lists (ACLs) are used to control access permissions to files and folders on the NTFS file system. On Windows, you can view and change ACLs on file system objects in several ways: from the File Explorer GUI (Security tab in a folder or file properties), or the command line using the icacls tool or PowerShell.

There are two built-in PowerShell cmdlets for managing NTFS permissions:

  • Get-Acl — allows you to get the ACL of an NTFS object;
  • Set-Acl — allows you to set or change the existing ACL of the file system or registry object.

To list the current ACL of an object on an NTFS file system, run the command:

get-acl c:\docs|fl

get acl

The command returns an object of the class System.Security.AccessControl.DirectorySecurity.

Main properties of the AccessControl.DirectorySecurity object:

  • Access;
  • CentralAccessPolicyId;
  • CentralAccessPolicyName;
  • Group;
  • Owner;
  • Path;
  • Sddl;
  • PSChildName;
  • PSDrive;
  • PSParentPath;
  • PSPath;
  • PSProvider;
  • AccessRightType;
  • AccessRuleType;
  • AreAccessRulesCanonical;
  • AreAccessRulesProtected;
  • AreAuditRulesCanonical;
  • AreAuditRulesProtected;
  • AuditRuleType;
  • AccessToString;
  • AuditToString.

You can access any of these properties. For example, get the owner of a folder:

get-acl c:\docs |Select-Object Owner

or:

$owner= (get-acl c:\docs).owner

set acl

List only the current folder’s ACL:

(Get-ACL -Path "C:\Docs\").access | Format-Table -AutoSize

how to get acl

You can get the ACL of not only a local but also a shared network folder by its UNC path:

Get-ACL -Path "\\NYFS1\Public\Docs\" | fl

To copy an ACL from one folder and apply it to another, use the following PowerShell commands:

$acl = Get-ACL -Path "C:\Docs\"

$acl | Set-Acl -Path "C:\Docs_new"

If you want to change the current ACL of a folder and add access permission for a new user or group, you first need to create an object of the FileSystemAccessRule class.

New-Object Security.AccessControl.FileSystemAccessRule('IdentityReference\String','FileSystemRights','InheritanceFlags, PropagationFlags','AccessControlType')

Let’s take a closer look at these options:

  • IdentityReference\String — user or group name (use the following principal format: theitbros\bjackson)
  • FileSystemRights — permission (for example, Read , Write , etc.)
  • InheritanceFlags and PropagationFlags – these flags determine permission inheritance settings from the parent folder (more details about ACL propagation are described in the Microsoft documentation https://docs.microsoft.com/en-us/previous-versions/ms229747(v=vs.110)?redirectedfrom=MSDN)
  • AccessControlType — allow or deny access to an object (Allow/Deny)

For example, you want to grant theitbros\bjackson user read access permission to the C:\Docs folder. Use these PowerShell commands:

# get current NTFS permissions

$current_acl = Get-ACL -Path "C:\Docs"

# create an object with new NTFS permissions

$new_acl = New-Object System.Security.AccessControl.FileSystemAccessRule('THEITBROS\bjackson', 'Read', 'ContainerInherit, ObjectInherit', 'None', 'Allow')

# add new permissions to the current ACL

$current_acl.AddAccessRule($new_acl)

# Apply an ACL to a folder

Set-ACL -Path "C:\Docs" -ACLObject $current_acl

Similarly, you can remove permissions for a specific group or user. To do this, use the RemoveAccessRuleAll method:

$current_acl = Get-ACL -Path "C:\Docs"

$new_acl = New-Object System.Security.AccessControl.FileSystemAccessRule('THEITBROS\bjackson', 'Read', 'ContainerInherit, ObjectInherit', 'None', 'Allow')

$current_acl.RemoveAccessRuleAll ($new_acl)

Set-ACL -Path "C:\Docs" -ACLObject $current_acl

To change the owner of an NTFS object, use the SetOwner method. The account or group you want to assign as an owner is specified using its SID:

$current_acl = Get-ACL -Path "C:\Docs"

$usr_sid = New-Object System.Security.Principal.Ntaccount('THEITBROS\bjackson')

$current_acl.SetOwner($user_sid)

Set-Acl -Path "C:\Docs" -ACLObject $current_acl

Hint. You can also take file or folder ownership using the takeown.exe console tool.

To enable folder permission inheritance and replace all current ACLs with parent ones:

$current_acl.SetAccessRuleProtection($false,$true)

Set-Acl -Path "C:\Folder1\OneMoreFolder" -ACLObject $current_acl

The SetAccessRuleProtection method accepts two Boolean arguments:

  • isProtected — determines whether it is necessary to block inheritance from the parent folder;
  • preserveInheritance — is it need to rewrite permissions.
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.