Version 4.2.3 released on May 19 2016

Source are available on CodePlex: https://ntfssecurity.codeplex.com/

Introduction

Managing permissions with PowerShell is only a bit easier than in VBS or the command line as there are no cmdlets for most day-to-day tasks like getting a permission report or adding permission to an item. PowerShell only offers Get-Acl and Set-Acl but everything in between getting and setting the ACL is missing. This module closes the gap.

Documentation

For documentation plese refer to:

NTFSSecurity Tutorial 1 - Getting, adding and removing permissions

NTFSSecurity Tutorial 2 - Managing NTFS Inheritance and Using Privileges

Comments, feature requests and bug reports are very welcome: raandree@live.com

Installation

Just create the folder "NTFSSecurity" in one of the standard module folders and copy the files attached in there. The standard module folders are in the environment variable %PSModulePath%, for example C:\Users\<username>\Documents\WindowsPowerShell\Modules.

For example, all the files in the zip file have to be in "C:\Users\raandree\Documents\WindowsPowerShell\Modules\NTFSSecurity". If you did this then the module should be listed in "Get-Module -ListAvailable" and can be imported using "Import-Module NTFSSecurity".

Description

The module provides 10 cmdlets to manage permissions on the file system, like adding and removing ACEs, setting the inheritance, getting the current permissions or even get the effective permissions for a certain user.

The available cmdlets are listed below with a short description. More information can be retreived in the PowerShell using Get-Help.

The name / SID translation is done by the Security2 class, the source code is available on CodePlex as well.

All cmdlets have at least one parameter that supports the pipeline. They can all work with pipeline input coming from Get-ChildItem but some do more with what comes form the pipeline. For excample you can remove permission by piping what Get-Ace returns to Remove-Ace:

PowerShell

Skript bearbeiten|Remove

#Get permissions from all files or folders in the current folder
dir | Get-NTFSAccess

#to read and also remove only the explicitly assigned ones
dir | Get-NTFSAccess -ExcludeInherited | Remove-Ace

#Get permissions from all files or folders in the current folder 
dir | Get-NTFSAccess 
 
#to read and also remove only the explicitly assigned ones 
dir | Get-NTFSAccess -ExcludeInherited | Remove-Ace

The pipeline support can also be used to backup and restore permissions of one or many items:

PowerShell

Skript bearbeiten|Remove

#to backup permissions just pipe what Get-NTFSAccess returns to Export-Csv
dir | Get-NTFSAccess -ExcludeInherited | Export-Csv permissions.csv

#to retore the permissions pipe the imported data to Get-NTFSAccess
#As the imported data also contains the path you do not need to specify the item
Import-Csv .\permissions.csv | Get-NTFSAccess

#to backup permissions just pipe what Get-NTFSAccess returns to Export-Csv 
dir | Get-NTFSAccess -ExcludeInherited | Export-Csv permissions.csv 
 
#to retore the permissions pipe the imported data to Get-NTFSAccess 
#As the imported data also contains the path you do not need to specify the item 
Import-Csv .\permissions.csv | Get-NTFSAccess

All cmdlets can handle SIDs and also SamAccountNames. The output contains always both unless a SID is not resolvable.

The types.ps1xml file is extending the common objects with some useful information and the format.ps1xml file formats all the output in almost the same way like the Get-ChildItem output.

By implementing the [Process Privilege http://processprivileges.codeplex.com/] project the cmdlets can activate the required privileges for setting the ownership for example.

Add-Ace

Adds a specific ace to the current object. This can be done in just one line:

PowerShell

Edit|Remove

Get-Item .\VMWare | Add-Ace -Account Contoso\JohnD -AccessRights FullControl

Get-Item .\VMWare | Add-Ace -Account Contoso\JohnD -AccessRights FullControl

Get-Ace

Gives you a list of all permissions . normally you are interested not in the inherited permissions so the switch ExcludeInherited can be useful

PowerShell

Edit|Remove

Get-Item F:\backup | Get-Ace –ExcludeInherited

Get-Item F:\backup | Get-Ace –ExcludeInherited

Filtering works with Where-Object

PowerShell

Edit|Remove

Get-Item F:\backup | Get-Ace | Where-Object { $_.ID -like "*users*" }

Get-Item F:\backup | Get-Ace | Where-Object { $_.ID -like "*users*" }

Get-OrphanedAce

Lists all permissions that can no longer be resolved. This normally happens if the account is no longer available so the permissions show up as a SID and not as an account name.

To remove all non-resolvable or orphaned permissions you can use the following line. But be very careful with that as maybe the account is not resolvable due to a network problem.

PowerShell

Edit|Remove

dir -Recurse | Get-OrphanedAce | Remove-Ace

dir -Recurse | Get-OrphanedAce | Remove-Ace

Remove-Ace

Removes the permission for a certain account. As the pipeline is supported it takes also

PowerShell

Edit|Remove

ACEs coming from Get-Ace or Get-Get-OrphanedAce

ACEs coming from Get-Ace or Get-Get-OrphanedAce

Get-EffectivePermissions

Shows the permissions an account actually has on a file or folder. If no parameter is specified it shows the effective permissions for the current user. However you can supply a user by using the SID or account name

PowerShell

Edit|Remove

Get-Item F:\backup | Get-EffectivePermissions -Account S-1-5-32-545

Get-Item F:\backup | Get-EffectivePermissions -Account S-1-5-32-545

Get-Inheritance

Shows if inheritance is blocked

Enable-Inheritance

It can be a problem if certain files or folders on a volume have inheritance disabled. Making sure that inheritance is enabled can be done using this cmdlets:

PowerShell

Edit|Remove

Get-Item .\Data -Recurse | Enable-Inheritance

Get-Item .\Data -Recurse | Enable-Inheritance

Disable-Inheritance

See Enable-Inheritance

Get-Owner

Shows the owner of a file or folder

PowerShell

Edit|Remove

dir -Recurse | Get-Owner

dir -Recurse | Get-Owner

Set-Owner

Sets the owner to a specific account like:

PowerShell

Skript bearbeiten|Remove

Get-Item .\Data | Set-Owner -Account builtin\administrators

Get-Item .\Data | Set-Owner -Account builtin\administrators

Version

4.2.3
- Added Cmdlet Get-FileHash2
- Bug Fixes
4.2.2
- Added the cmdlet Test-Path2
- Fixed parameter sets of Add-NTFSAudit
- NTFSSecurity did not handle permissions that are only propagated to the next level when using the ApplyTo parameter. The ApplyTo enum now supports *OneLevel names.
4.2.1
- Added the cmdlets Get-NTFSHardLink, New-NTFSHardLink, New-NTFSSymbolicLink
4.2
- Added cmdlets Move-Item2 and Copy-Item2
- Remove-Item2, Move-Item2 and Copy-Item2 now support the WhatIf and Confirm
4.1
- The Attributes parameter for Get-ChildItem2 works the same like he one on the standard cmdlets Get-ChildItem as requested
- Remoce-NTFSAccess can no remove access from existing Access Control Entries. The old behaviour is still available using the -RemoveSpecific switch parameter
4.0
- The NTFSAccess cmdlets can now work on Security descriptors to allow bulk processes
- Code cleanup for better performance and maintainability
- Bug Fixes
3.2
- Bugfixing managing auditing
- Fixed various Bugs reported on CodePlex
3.1
- All cmdlets have the prefix NTFS now. There are aliases for backward compatibility
- The new version of Get-NTFSEffectivePermission uses AuthzAccessCheck instead of GetEffectiveRightsFromAcl Previous Get-NTFSEffectivePermission cmdlet has been renamed to Get-NTFSEffectivePermissionOld
- Added FileSystemAuditRule2 to the PowerShell formatters
- Added InheritedFrom information to FileSystemAuditRule2

3.0
- This version leverages the AlphaFS (http://alphafs.codeplex.com) to work around the MAX_PATH limitation of 260 characters
  - This requires new *-Item commands to be able to discover items with a log path
    - GetChildItem2 (dir2)
    - Get-Item2 (gi2)
    - Remove-Item2 (del2, rm2)
- For inherited ACEs the InheritedFrom is displayed
- Generic access rights are supported
- Performance Improvements
- Bug Fixes

2.4
- Remove-Access did not remove Deny ACEs when using the pipeline (for example: Import-Csv .\access.txt | Remove-Access)
- Add-Access did not remove Deny ACEs when using the pipeline (for example: Import-Csv .\access.txt | Add-Access)
- The parameter Account was undiscoverable when using the pipeline

2.3
- The module now makes full use of the Backup, Restore privilege and TakeOwnership so as an administrator you can edit permissions on objects that you do not have explicitly access to. Privileges are enabled by default if the value 'EnablePrivileges' is true in the NTFSSecurity.psd1. The new cmdlets Get, Disable and Enable-Privileges are for manual control.
- The Path parameter now works consistently

2.1
- Fixed bugs with Set-Owner
- Added support for also managing auditing (SACL)

2.0 Beta
- A bunch of new commands: Get-SimpleAccess, Get-SimpleEffectiveAccess, Show-SimpleAccess, Show-SimpleEffectiveAccess, Copy-Access
- All cmdlets are now written in C#
- Fixed a number of bugs

1.3 (NTFSSecurity 1.3.zip)
- Fixed an issue with parameter handling
- Now works with PowerShell V3

1.2
- Fixed some issues with path validation
- Fixed documentation bugs

1.1
- Fixed the issue with square brackets in paths
- Performance improvements

1.0
- Last tests did not reveal any issue. PowerShell has a problem handling files that have square brackets in the file name. Therefore this module inherits the issue.

0.9 (Beta)
- Fixed some bugs
- Updated documentation

0.8 (Beta)
- Initial Release