How to List NTFS Permissions With PowerShell

List NTFS Permissions Using PowerShell

It’s probably safe to assume you ended up on this page because, basically, you like to save time and work efficiently?!

This page will help you extract explicit (non-inherited) NTFS permissions and list them for easy Excel import.

Once you have the data in Excel, you can search and modify the output as you see fit.

Don’t worry about it – you’re welcome! 😁👍

Feel free to copy the script just below and modify it in any way you like.

Manage Hybrid Office 365 Like a Boss

Before we move on – if you REALLY want to save a lot of time, have a quick look at Easy365Manager.

Easy365Manager is a snap-in to AD Users & Computers that consolidates AD and Office 365 management.

To fully understand the power of Easy365Manager, consider the user-left-the-company scenario.

Many companies have a process similar to the below when employees leave:

  • Disable the AD user account
  • Convert the mailbox to a shared mailbox
  • Hide the user from the address lists
  • Set up forwarding to the user’s manager (or replacement)
  • Delegate mailbox access to the user’s manager (or replacement)
  • Synchronize on-premises changes to Azure AD
  • Reclaim the Office 365 license

With standard tools, this easily takes anywhere between 5 to 10 minutes as you have to log in to multiple management tools.

With Easy365Manager, this can be done (by junior support) in 30 seconds:

Download the fully-functional 30-day trial and save even more time than you planned to before the end of the day!

Use PowerShell to Document NTFS Permissions

The following script will iterate all folders and subfolders of the main folder, “D:\Data”.

$OutFile = "c:\ExplicitACLs.csv"
"Path;Access;Identity" | Out-File $OutFile
$TopFolders = Get-ChildItem "D:\Data" -Directory
ForEach ($TopFolder In $TopFolders) {
    Write-Host Processing $TopFolder.FullName ...
    $Folders = Get-ChildItem -Path $TopFolder.FullName -Recurse -Directory
    ForEach ($Folder In $Folders) {
        $ACL = Get-Acl $Folder.FullName
        ForEach ($Access In $ACL.Access) {
            If ($Access.IsInherited -eq $False) {
                $Output = $Folder.FullName + ";" + $Access.FileSystemRights + ";" + $Access.IdentityReference
                $Output | Out-File $OutFile -Append
                Write-Host $Output

To ensure we see a little bit of progress along the way, the subfolders are iterated one by one.

(we certainly like to see progress is being made when crunching TerraByte folders)

The output is a semicolon-separated list stating:

  • Folder/file path
  • Access rights
  • Identity (delegatee)

The formatted output may look similar to this:

Path                 Access                       Identity
D:\Data\Customers    FullControl                  E365M\MSK
D:\Data\Customers    FullControl                  E365M\ClientReps
D:\Data\Financial    ReadAndExecute, Synchronize  E365M\JWB
D:\Data\Financial    ReadAndExecute, Synchronize  E365M\Finance
D:\Data\Development  Modify, Synchronize          E365M\Dev

TIP: If the amount of data is not colossal, you might want to include file permissions in your review:

In that case, remove the “-Directory” switch in line 6.

We hope you’ll find the script helpful! 👍