In order to implement a least-privilege model, which is a best practice for system security, IT security specialists and system administrators configure NTFS access control lists (ACLs) by adding access control entries (ACEs) on NTFS file servers. There are both basic and advanced NTFS permissions. You can set each of the permissions to “Allow” or “Deny”. You can find all these user permissions by running the following PowerShell script:
[system.enum]::getnames([System.Security.AccessControl.FileSystemRights])
If you’re not familiar with NTFS permissions management, check out this NTFS Permissions Management Best Practice guide.
The PowerShell set-acl cmdlet is used to change the security descriptor of a specified item, such as a file, folder or a registry key; in other words, it is used to modify file or folder permissions. The following script sets the “FullControl” permission to “Allow” for the user “ENTERPRISE\T.Simpson” to the folder “Sales”:
$acl = Get-Acl \\fs1\shared\sales
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\T.Simpson","FullControl","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl \\fs1\shared\sales
Note that the SetAccessRule parameter completely overwrites the permissions for a user or group, so you can change folder permissions using this parameter.
Adding Permissions
If you just want to add permissions, use the AddAccessRule parameter instead. For instance, the following script adds the “FullControl” permission for the “ENTERPRISE\J.Carter” user:
$acl = Get-Acl \\fs1\shared\Accounting
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\J.Carter","FullControl","Allow")
$acl.AddAccessRule($AccessRule)
$acl | Set-Acl \\fs1\shared\Accounting
Here are the other permissions you can assign to users or security groups:
| Access Right | Access Right’s Name in PowerShell |
|---|---|
| Full Control | FullControl |
| Traverse Folder / Execute File | ExecuteFile |
| List Folder / Read Data | ReadData |
| Read Attributes | ReadAttributes |
| Read Extended Attributes | ReadExtendedAttributes |
| Create Files / Write Data | CreateFiles |
| Create Folders / Append Data | AppendData |
| Write Attributes | WriteAttributes |
| Write Extended Attributes | WriteExtendedAttributes |
| Delete Subfolders and Files | DeleteSubdirectoriesAndFiles |
| Delete | Delete |
| Read Permissions | ReadPermissions |
| Change Permissions | ChangePermissions |
| Take Ownership | TakeOwnership |
Basic Access Rights Sets
There are also sets of basic access rights that can be applied:
| Access Rights Set | Rights Included in the Set | Name of the Set in PowerShell |
|---|---|---|
| Read | List Folder / Read Data Read Attributes Read Extended Attributes Read Permissions |
Read |
| Write | Create Files / Write Data Create Folders / Append Data Write Attributes Write Extended Attributes |
Write |
| Read and Execute | Traverse folder / Execute File List Folder / Read Data Read Attributes Read Extended Attributes Read Permissions |
ReadAndExecute |
| Modify | Traverse folder / Execute File List Folder / Read Data Read Attributes Read Extended Attributes Create Files / Write Data Create Folders / Append Data Write Attributes Write Extended Attributes Delete Read Permissions |
Modify |
Copying Permissions
To copy permissions, a user must own both the source and target folders. The following command will copy the permissions from the “Accounting” folder to the “Sales” folder:
get-acl \\fs1\shared\accounting | Set-Acl \\fs1\shared\sales
If you want to get a list of NTFS permissions via PowerShell, you can follow this easy how-to about exporting NTFS permissions to CSV.