Directory and file permissions is a common task for a system administrator. When working with a graphical interface, updating and modifying the permissions for a wide array of files and directories can be tiresome and repetitive.
Thankfully, we can leverage the power of Windows PowerShell to view and update permissions within the NTFS filesystem.
PowerShell List File and Folder Permissions
The NTFS Filesystem has a wide collection of permissions that you can configure in various combinations for both files and folders. To view all the available permissions, you can use the System.Security.AccessControl.FileSystemRight
The command is as shown:
[System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights])
The command should return the output as:
ListDirectory
ReadData
WriteData
CreateFiles
CreateDirectories
AppendData
ReadExtendedAttributes
WriteExtendedAttributes
Traverse
ExecuteFile
DeleteSubdirectoriesAndFiles
ReadAttributes
WriteAttributes
Write
Delete
ReadPermissions
Read
ReadAndExecute
Modify
ChangePermissions
TakeOwnership
Synchronize
FullControl
The following shows what each permission does.
ListDirectory: Grants the ability to list the contents of a directory.ReadData: Allows reading the data of a file.WriteData: Permits writing or modifying the data of a file.CreateFiles: Grants the ability to create new files within a directory.CreateDirectories: Allows creating new directories within a directory.AppendData: Permits appending data to a file.ReadExtendedAttributes: Allows reading extended attributes of a file or directory. Extended attributes provide additional information about a file or directory.WriteExtendedAttributes: Permits modifying or creating extended attributes of a file or directory.Traverse: Grants the ability to traverse through a directory and access its contents.ExecuteFile: Allows executing a file or running a program.DeleteSubdirectoriesAndFiles: Permits deleting subdirectories and files within a directory.ReadAttributes: Allows reading the attributes of a file or directory. Attributes provide information such as whether the item is hidden or read-only.WriteAttributes: Permits modifying the attributes of a file or directory.Write: Grants write access to a file or directory, allowing modifying its content and attributes.Delete: Allows deleting a file or directory.ReadPermissions: Permits reading the permissions assigned to a file or directory.Read: Grants read access to a file or directory.ReadAndExecute: Allows reading the data of a file and executing it if it is an executable file or script.Modify: Provides full control over a file or directory, including reading, writing, modifying attributes, and deleting.ChangePermissions: Permits modifying the permissions assigned to a file or directory.TakeOwnership: Grants the ability to take ownership of a file or directory, allowing full control over it.Synchronize: Allows synchronization access, ensuring that file system views are consistent.FullControl: Grants full control and permissions to perform any action on the file or directory. It includes all other permissions.
PowerShell Get File or Folder Permission
Now that we know the various permissions available in an NTFS system, let us discuss how we can fetch the permission for a given file or folder.
In PowerShell, we can use the Get-ACL cmdlet to view the permission of a given file or folder as shown:
Get-ACL -Path .\img\
This command should return the permissions for the img folder as shown in the output below:
Path Owner Access
---- ----- ------
img PC\GeekBits NT AUTHORITY\SYSTEM Allow FullControl…
Although the command does return a view of the folder permissions, we can fetch more detailed permission information using the .Access attribute as shown:
(Get-Acl -Path .\img\).Access | Format-Table
Output:
FileSystemRights AccessControlType IdentityReference IsInherited InheritanceFlags PropagationFlags
---------------- ----------------- ----------------- ----------- ---------------- ----------------
FullControl Allow NT AUTHORITY\SYSTEM True ContainerInherit, ObjectInherit None
FullControl Allow BUILTIN\Administrators True ContainerInherit, ObjectInherit None
FullControl Allow PC\GeekBits True ContainerInherit, ObjectInherit None
In this case, we get more detailed permission information that the first command.
Default NTFS Permissions
What happens when we create a new file or folder? What permissions does Windows assign to it. We can demonstrate this by running the command as shown:
(Get-ACL -Path "file.ext").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
PowerShell Set File or Folder Permission
To update the permissions of a new file or folder, we can use the Set-ACL cmdlet. We can start by crafting a new ACL rule that we wish to apply.
We then use the cmdlet to update the permission.
To create a new permission rule, we need to follow the format:
Identity String, FileSystemRights, AccessControlType
For example, suppose we wish to apply read/write permissions to a given folder to a given user, we can define the permission as:
$permission = New-Object System.Security.AccessControl.FileSystemAccessRule($user, "Read,Write", "ContainerInherit,ObjectInherit", "None", "Allow")
We can then apply the rule as:
$ACL.SetAccessRule($permission)
PowerShell Copy Permission to a New Object
We can also apply permissions of an existing file or folder using the Get-ACL and Set-ACL cmdlets. The commands are as shown:
Get-ACL -Path "source" | Set-ACL -Path "destination"
The command above uses the pipe operator to copy the permissions of the source file to the destination file or folder.
Conclusion
In this comprehensive tutorial, we explored the various methods and techniques that we can use to view and change file and folder permissions using PowerShell.
