Managing NTFS permissions and ACL’s with PowerShell

Posted: June 12, 2015 in Scripts

We’ll start with inheritance.Sometime (when creating folder for roaming profiles),we need to disable inheritance in order to avoid users to access other user’s folders.
$acl = Get-Item $dir |get-acl
$acl |Set-Acl

First,we export ACL’s to variable,then in SetAccessRuleProtection($true,$true)

we are actually managing permissions.First parameter enables ($true),or disables ($false) inheritance

,while the second one manages Access control entries (ACE), ($true-keep current ACE’s,$false-remove them and start with new ones)

And third line simply applies our decisons

Setting NTFS permissions

To set NTFS permissions,we first need to install  File System Security PowerShell Module

To see current NTFS permissions type
Get-Item “c:\1” | Get-NTFSAccess


To set permissions we need to type:
Add-NTFSAccess -Path C:\1   -Account ‘example\Authenticated Users ‘  -AccessRights’Fullcontrol

For removing permissions

Remove-NTFSAccess -Path “c:\1” -Account “example\domain users” -AccessRights FullControl

Inherited permissions cannot be removed

To remove all NTFS permissions for account

Get-ChildItem -Path c:\1 -Recurse |

Get-NTFSAccess -Account “example\test group” -ExcludeInherited |


Get-ChildItem with -recurse switch procesess files and folders recusively

Setting ACE permissions

Flag combinations can be found on microsoft site:

From this table we can combine flags and apply them to folders,subfolders or files,for example,to set ACE’s

to Full control for Folder (folder test has no subfolders):

$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, none”



$acl=get-acl c:\test

$AccessRule=NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule(“test group”,$FileSystemAccessRights,$InheritanceFlags,$PropagationFlags,$AccessControl)
$Acl | set-acl c:\test

  1. Matt says:

    I have been trying to get the module loaded in my powershell but I keep on getting the message Import-Module : File C:\windows\system32\WindowsPowerShell\v1.0\Modules\NTFSSecurity\NTFSSecurity.Init.ps1
    cannot be loaded. The file C:\windows\system32\WindowsPowerShell\v1.0\Modules\NTFSSecurity\NTFSSecurity.Init.ps1 is not digitally
    signed. You cannot run this script on the current system.

    How can I get this module loaded?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s