PowerShell for File Management (Part 2)

by [Published on 13 Sept. 2016 / Last Updated on 13 Sept. 2016]

This article continues the discussion of interacting with the file system from PowerShell, by looking at how PowerShell can be used to view, add, and remove NTFS permissions.

If you would like to read the other parts in this article series please go to:

In the previous article in this series, I showed you some techniques for using PowerShell to locate files on a server. In this article, I want to shift the discussion just a bit and talk about some of the things that you can do with regard to NTFS permissions.

Since I am going to be talking about NTFS permissions, I need to create a folder that I can use for demonstration purposes. The PowerShell cmdlet that is used for creating folders is New-Item. When you use this cmdlet, you have to specify a path and an item type. For example, if you wanted to create a folder called Demo, you would use this command:

New-Item C:\Demo -Type Directory

You can see what this looks like in the figure below.

Image
You can use the New-Item cmdlet to create a folder.

So now that I have created a folder that I can use for demonstration purposes, let’s take a look at the NTFS permissions that currently exist on the folder. The PowerShell cmdlet that is used for retrieving NTFS permissions is Get-NTFSAccess. If you attempt to use this cmdlet however, you will receive an error.

The reason for this is because NTFS cmdlets are not natively supported by PowerShell (believe me, I was surprised too). However, Microsoft does provide an NTFS module that you can download.

To install the module, open Windows File Explorer, and navigate to C:\Windows\System32\WindowsPowerShell\1.0\Modules. Now, create a folder named NTFSSecurity, and copy the contents of the ZIP file that you downloaded into the folder. You must use NTFSSecurity as the folder name otherwise you may be unable to import the PowerShell module.

Now, open PowerShell and enter the following command:

Get-Module -ListAvailable

Upon pressing Enter, you should see a list of the available modules. Make sure that NTFSSecurity appears on the module list, as shown in the figure below.

Image
Check to make sure that the NTFSSecurity module is listed.

At this point, you must unblock each of the files in the NTFSSecurity folder. For each file, right click on the file and choose the Properties command from the resulting shortcut menu. When the file’s properties dialog box opens, look for an Unblock button on the General tab, as shown below. If this button exists, then click it to unblock the file. If the button doesn’t exist, then the file is not blocked.

Image
Use the Unblock button to allow access to the files.

Now, open an administrative PowerShell window, and enter the following command:

Import-Module NTFSSecurity

If you receive an error indicating that PowerShell could not load a file or assembly, then the problem is most likely that one of your module files is still blocked. If you unblock everything, but still receive an error, try re-downloading the file, but this time unblock the ZIP file before extracting its contents.

Once the module has been imported, you can begin using it. To check the NTFS permissions for the folder that you created earlier, enter the following command:

Get-Item C:\Demo | Get-NTFSAccess

As you can see in the image below, PowerShell displays the NTFS permissions that have been assigned to the folder.

Image
PowerShell displays the folder’s NTFS permissions.

It’s great to be able to view the NTFS permissions for a folder, but we can also use PowerShell to assign permissions. In a production environment permissions are usually assigned to groups rather than directly to users, but for the sake of demonstration I am going to assign permissions to a few user accounts. I will assign Read permissions to User1, Full Control permissions to User2, and I will block access to User3. I can use the following commands to assign permissions to User1 and User2:

Add-NTFSAccess -Path C:\Demo -Account ‘Poseydemo\User1’ -AccessRights Read
Add-NTFSAccess -Path C:\Demo -Account ‘Poseydemo\User2’ -AccessRights FullControl

However, I cannot use this command to deny access to User3:

Add-NTFSAccess -Path C:\Demo -Account ‘Poseydemo\User3’ -AccessRights Deny

The reason why this doesn’t work is because when you use NTFS to block access to someone, you aren’t assigning a right named Deny, but are rather denying the ability to use a specific right. So, if I try to use the command above, I will get an error like the one shown here:

Image
You can assign Read and Full Control, but not Deny.

So how do we block User3 from accessing the Demo folder? The only cmdlet that will get the job done is the Remove-NTFSAccess cmdlet. The problem with this cmdlet is that we have to specify the permissions that we want to remove, and we can only remove permissions that have been assigned. For example, I could remove Read permissions from User1, but I couldn’t remove FullControl permissions from User1 because User1 does not have FullControl permissions.

Let’s take a look at how this command works. I will use the Remove-NTFSAccess cmdlet to remove the Read permissions from User1. Here is the command used to do so:

Remove-NTFSAccess C:\Demo -Account ‘poseydemo\user1’ -AccessRights Read

This command doesn’t produce any visible output, but you can use the Get-NTFSAccess cmdlet to verify that the permission has been removed. You can see the removal process in action below.

Image
I have removed the Read permission from User1.

So now that you know how to view, add, and remove NTFS permissions, you might be curious as to what other sorts of things you can do with the NTFSSecurity module. Unfortunately, I have yet to discover any sort of comprehensive documentation for the module. Even so, it is possible to get a list of the module’s built-in cmdlets. After doing so, you can perform a Web search on the individual cmdlets to find the syntax.

To see a list of the available cmdlets, enter the following command:

Get-Command -module NTFSSecurity

You can see a list of the module’s cmdlets in the image below.

Image
Here are a list of the NTFSSecurity module’s cmdlets.

Another way to figure out how to use the NTFSSecurity cmdlets is to take advantage of PowerShell’s built-in help. For example, the last cmdlet listed in the figure above is Test-Path2. If you wanted to know the syntax for this cmdlet, you could type this command:

Get-Command Test-Path2 | Get-Help

You can see the command’s syntax shown in the figure below.

 Image
You can use PowerShell’s Get-Help cmdlet to find the full syntax for unfamiliar cmdlets.

As you can see, the NTFSSecurity module for PowerShell allows you to access NTFS permissions for files and folders from the command line. So far, I have shown you how to view, add, and remove NTFS permissions from a folder. However, the NTFSSecurity module contains many more cmdlets, and I have really only begun to scratch the surface of what this PowerShell module can do. My plan for the next article in this series is to show you some of the module’s auditing and reporting capabilities.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Brien M. Posey

Brien M. Posey avatar

Brien Posey is an MCSE and has won the Microsoft MVP award for the last few years. Brien has written well over 4,000 technical articles and written or contributed material to 27 books.

Advertisement

Featured Links