Get-ACL and Set-ACL

Modify NTFS permissions with PowerShell using Get-Acl and Set-Acl.

PowerShell is a very efficient tool to perform bulk changes to NTFS permissions.

The two main commands to use are Get-ACL and Set-ACL.

Let’s use a real-life example to see how it’s done.

Reset Folder Inheritance and Set NTFS Permissions

In the following example, we want to implement Microsoft best practices by moving from individually assigned permissions to group-assigned permissions.

 Consider the Mars_Data folder where three users have been assigned full control:

NTFS permission management with PowerShell

First, we don’t want users to be assigned permissions directly, as this means we will have to go to folder properties to change it.

The Microsoft best practice is to use domain local groups for permission assignment, so we create a group, “DL.Mars_Data.Modify.”

By using a domain local group, we can grant or remove data access centrally in our Active Directory simply by modifying the group membership.

Secondly, we’d like to enable inheritance on the Mars_Data folder to propagate SYSTEM and Administrators access from our top-level folder.

To accomplish this, there are three steps to cover with our PowerShell script:

  1. First, remove any existing explicit  (non-inherited) permissions from the folder.
  2. Enable inheritance on the folder.
  3. Assign the Modify permission to our group.

Let’s see how it’s done.

Remove Non-Inherited Permissions Using PowerShell

To modify the folder permissions we first need to grab the existing ACL (Access Control List) using Get-ACL:

$FolderPath = "c:\ms_tmp\Projects\P0001-P0050\Mars_Data"
$Acl = Get-Acl -Path $FolderPath

We then iterate the ACEs (Access Control Entries) in the ACL and remove any ACEs that are not inherited:

ForEach ($Ace In $Acl.Access) {
    If ($Ace.IsInherited -eq $false) {
        $Acl.RemoveAccessRuleSpecific($Ace)
    }
}

The changes of the ACL are actually performed in memory. Therefore, we always need to commit the changed ACL to the folder using Set-Acl after making our changes:

Set-Acl -Path $FolderPath -ACLObject $Acl

Enable Permission Inheritance Using PowerShell

To enable inheritance of NTFS permissions, we use the following command:

$FolderPath = "c:\ms_tmp\Projects\P0001-P0050\Mars_Data"
$Acl = Get-Acl -Path $FolderPath
$Acl.SetAccessRuleProtection($false, $false)
Set-Acl -Path $FolderPath -ACLObject $Acl

As in the previous example, we read the ACL with Get-Acl, modify the ACL by enabling inheritance, and then write our changes back to disk with Set-Acl.

Add NTFS Permissions Using PowerShell

The final component of our script is to assign permissions to the group we will use to manage access instead of assigning permissions to individual users.

This is accomplished using the following PowerShell commands:

$FolderPath = "c:\ms_tmp\Projects\P0001-P0050\Mars_Data"
$Acl = Get-Acl -Path $FolderPath
$Ace = New-Object System.Security.AccessControl.FileSystemAccessRule("easy365manager\DL.Mars_Data.Modify", 'Modify', 'ContainerInherit, ObjectInherit', 'None', 'Allow')
$Acl.AddAccessRule($Ace)
Set-Acl -Path $FolderPath -ACLObject $Acl

To assign permissions, we first need to build an ACE that reflects the permission we want to assign.

Parameters include the assignee, the permission type, the inheritance flags, the propagation flags, and the type (Allow/Deny).

Again, we read the ACL with Get-Acl before making the change, and we write the ACL with Set-Acl.

The Final Script

To clean up our script, we consolidate the changes, so we only have to read and write the ACL one time.

This is what the final script looks like:

$FolderPath = "c:\ms_tmp\Projects\P0001-P0050\Mars_Data"
$Acl = Get-Acl -Path $FolderPath
# Remove non-inherited permissions
ForEach ($Ace In $Acl.Access) {
    If ($Ace.IsInherited -eq $false) {
        $Acl.RemoveAccessRuleSpecific($Ace)
    }
}
# Enable inheritance
$Acl.SetAccessRuleProtection($false, $false)
# Assign Modify to new group
$Ace = New-Object System.Security.AccessControl.FileSystemAccessRule("easy365manager\DL.Mars_Data.Modify", 'Modify', 'ContainerInherit, ObjectInherit', 'None', 'Allow')
    $Acl.AddAccessRule($Ace)
Set-Acl -Path $FolderPath -ACLObject $Acl

After running the script permissions are set exactly as we want it:

Setting NTFS permissions using PowerShell and Get-Acl and Set-Acl

Centralized Management From Active Directory

We now have achieved centralized management of file permissions from our AD.

Instead of having to modify permissions directly on the source (folder/file system), we can now rely on modifying group membership in AD. Very handy!

But did you know that you can also consolidate Office 365 management into your Active Directory?

With the revolutionary Office 365 administration tool, Easy365Manager, you can manage Office 365 licenses and mailboxes directly from AD user properties:

Hundreds of companies use Easy365Manager in all verticals across the globe due to the following facts:

  • It’s a huge time saver to work from AD without having to use the many Office 365 web consoles.
  • It’s super easy to install Easy365Manager (less than one minute).
  • Easy365Manager offers a GUI for a lot of tasks usually only available via PowerShell.
  • There are no changes to your infrastructure (zero risk).
  • Finally, Easy365Manager allows you to remove Exchange on-premises (a huge cost saver).

You can download a 30-day fully functional trial here.

Did you like this post? Maybe your friends will too!