How to Manage File System ACLs With PowerShell

Changing ACLs for folders and files

There are three stages involved with changing access control lists (ACLs) for files and folders with PowerShell. This is similar to the three-stage process you’d use to remotely invoke applications with PowerShell. 

The three stages are outlined below.

1. Getting the current ACL

Before you can change an ACL, you must first access the existing one. There are two ways to do this with PowerShell:

• Use the Get-Acl 
• Use the GetAccessControl()

Many programmers recommend the GetAccessControl() method. Get-Acl is handy; however, due to some limitations, it’s not quite as smart as GetAccessControl(). For this reason, we’ll show you how to get the current ACL using the GetAccessControl() method.

Here’s how it works:

You now have the code to find the ACL in a single folder. Next, expand this to find ACLs for all home folders. If you use Get-ChildItem and the Directory parameter to exclude files instead of Get-Item, you can find ACLs on all home folders:

2. Modifying the ACL

The next step is modifying the ACL on each folder. You must ensure that the owner of each home folder is the only user with access to their folder. Luckily, the folder owner is also the folder name, which makes checking permissions easy.

You’ll need to grab that folder name and use it to create another entry in the ACL. Unfortunately, the script will have to get a little more complicated:

$HomeFolders = Get-ChildItem C:Homefolders -Directory
foreach ($HomeFolder in $HomeFolders) {
$Path = $HomeFolder.FullName
$Acl = (Get-Item $Path).GetAccessControl(‘Access’)
$Username = $HomeFolder.Name
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, ‘Modify’,                 ‘ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)
$Acl.SetAccessRule($Ar)
Set-Acl -path $Path -AclObject $Acl
}

Pay particular attention to the following line in the script — it can be more challenging to comprehend:

$Ar = New-Object
System.Security.AccessControl.FileSystemAccessRule($Username, ‘Modify’, ‘ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

3. Setting the new ACL

Access control entries (ACEs) are the individual rights inside an ACL. An ACE can also be called a FileSystemAccessRule. This is a .NET object that has five parameters;

1. Security identifier ($Username)
2. The right (Modify)
3. Inheritance settings (ContainerInherit,ObjectInherit), which force all folders and files underneath the folder to inherit its new permissions.
4. Propagation settings (None). This parameter means nothing will interfere with the inheritance settings.
5. Type (Allow).

The remaining lines take the $Ar FileSystemAccessRule object, add it to the ACL, and commit the ACL back to the disk. The way this script commits is similar to the process of installing Windows patches with PowerShell — another example of how PowerShell is great for system admin tasks.

If you use GetAccessControl() and Set-Acl, you can perform any number of other actions on ACLs, such as adding new ones as explained above, as well as removing old ones or modifying existing ACLs. 

The benefits of using PowerShell to manage file system ACLs

Using PowerShell to manage file system ACLs has two distinct advantages: 

• Saving time. PowerShell streamlines the process of managing file system permissions, which saves you time and headaches. 
• Improving security. PowerShell can help you increase business security through access control. 

1. PowerShell can streamline the process of managing file system ACLs. 

Changing permissions on a single folder is a cinch in Windows:

• Right-click a folder.
• Go to Security.
• Change the folder’s permissions.

But when you’ve got thousands of folders to change, this process becomes impractical and a huge time drain for IT professionals. 

For example, say you have a company file server that houses all employees’ home folders. Each employee must have Modify access to their folder, and administrators must have Full Control over all folders. You may have the server built and all folders created, but you then have the monumental task of ensuring NTFS permissions are set correctly on each folder. 

PowerShell automates this process and saves your IT team valuable time. 

2. PowerShell permissions can boost your organization’s security.

Ensuring only the right people have access permissions to file servers keeps your IT infrastructure compliant with GDPR and HIPAA. Additionally, it helps protect against data breaches by ensuring the wrong people don’t access your customers’ sensitive data and financial information.

PowerShell can manage file system ACLs to make ensuring correct permissions and protecting your organization’s data easy. 

Mark Fairlie contributed to this article.