File System Security PowerShell Module 4.2.4

Allows a much easier management of permissions on files and folders using PowerShell
4.8 Star
203,997 times
Add to favorites
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Runtime version
    2 Posts | Last post July 11, 2019
    • I'm running this on some 2008 R2 servers and was receiving this error when importing the module: 
      Add-Type : Could not load file or assembly 'file:///C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ntfssecurity\Security2.dll' or one of its dependencies. This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.
      I was able to resolve this error by following the instructions found here about adding supported runtimes:
      However, after importing the NTFSSecurity module now, the only commands that show up when running Get-Command -Module NTFSSecurity are the 4 aliases that the module creates (de12, dir2, gi2, rm2)
      No cmdlets containing NTFS are returned.
    • NTFSSecurity v4.2.4 has been compiled with .Net 4.0, so does not support PowerShell 2.0, it requires PowerShell 3.0 (which uses .Net 4.0). NTFSSecurity v4.2.3 was compiled with an older version of .Net, so works with PowerShell 2.0.
      I've logged a bug about this
  • Apply permissions recursively
    1 Posts | Last post June 13, 2019
    • Is there a way to apply folder permissions to all files in the folder that were created prior to the permission change? I've taken ownership of a folder and applied permissions, but those permissions are not applied to the files within in the folders and I need to fix that. I'm dealing with about 8700 files and folders to doing it manually isn't really an option. Thanks!
  • [get-childitem], export-csv
    3 Posts | Last post May 20, 2019
    • Hi,
      When i use [get-item "path" | get-ntfsaccess] i get the "applies to" informations, but when i use export-csv this information disappear in the csv file. 
      It works fine with out-file but it's not what i'm looking for...
      I tried [Update-TypeData -Force -TypeName Security2.FileSystemAccessRule2 -MemberType ScriptProperty -MemberName AppliesTo -Value {    [Security2.FileSystemSecurity2]::ConvertToApplyTo($_InheritanceFlags, $_PropagationFlags)}]
      The column "applies to" is now showing in the csv file but is empty...
      Do you have a solution?
    • Hi,
      Did you have a Solution?
      I having the Same Problem :(
      Get-ChildItem2 "\\server\sharename" -Recurse | Get-NTFSAccess -ExcludeInherited |select FullName, Account, AccessRights, InheritanceFlags, AccessControlType, InheritanceEnabled | Out-GridView -PassThru | Export-Csv -path "$scriptPath\acl_excludeInherited.csv" -Delimiter ";" -NoTypeInformation
      But i Can't select AppliesTo :(
      PropagationFlags and InheritanceFlags are not Realy Userfriendly ;)
    • I Think, i have the Solution.
      Get-ChildItem2 "\\server\sharename" -Recurse | Get-NTFSAccess -ExcludeInherited |Select-Object FullName, Account, AccessRights, @{n="AppliesTo";e={[Security2.FileSystemSecurity2]::ConvertToApplyTo($_.InheritanceFlags, $_.PropagationFlags)}}, AccessControlType, InheritanceEnabled | Out-GridView -PassThru | Export-Csv -path "$scriptPath\acl_excludeInherited.csv" -Delimiter ";" -NoTypeInformation
      Thank you for preparatory work --> [Security2.FileSystemSecurity2]::ConvertToApplyTo($_InheritanceFlags, $_PropagationFlags)
  • Run on 2008 R2?
    1 Posts | Last post April 16, 2019
    • Has anyone been able to run this on 2008R2 servers?
  • Get-ChildItem2 failure
    1 Posts | Last post March 05, 2019
    • Get-ChildItem2 -Path <UNC-PATH> 
      shows error:
      Get-ChildItem2 : (3) The target directory is a file, not a directory: [UNC-PATH]
          + CategoryInfo          : NotSpecified: (<UNC-PATH>:String) [Get-ChildItem2], DirectoryNotFoundException
          + FullyQualifiedErrorId : DirUnspecifiedError,NTFSSecurity.GetChildItem2
      Get-ChildItem -Path <UNC-PATH> 
      runs without problem. 
      What is to do?
  • Change existing permissions
    1 Posts | Last post February 26, 2019
    • Hello, 
      I recommend that a command "Set-NTFSAccess" be added to the module to be able to make changes to existing explicit permissions. 
      In my testing, if I do:
      Add-NTFSAccess -Path $Path -Account $Account -AccessRights ReadAndExecuite
      and then do:
      Add-NTFSAccess -Path $Path -Account $Account -AccessRights FullControl
      The result is the account now has Full Control. 
      If I do those same commands but in reverse order, the result is the account still has Full Control. 
      I performed the same kind of test using -AppliesTo with the same kind of results.
      If I first do -AppliesTo ThisFolderOnly and then do -AppliesTo ThisFolderSubfoldersAndFiles. It works great. 
      But then if I do it in reverse, the result is the account still shows Applies To as ThisFolderSubfoldersAndFiles. 
      Basically, you can edit the existing permissions granting MORE rights, but not LESS. 
      I assume the only way to go with LESS rights, is to first use Remove-NTFSAccess and then add the lesser rights. Is that correct?  
      (I am performing my testing on Win Server 2012 R2 in PowerShell ISE version 5.1.14409.1012)
      Any thoughts on adding a Set-NTFSAccess to change existing permissions?
      Thanks a ton!
  • Problem with load module, powershell 6
    3 Posts | Last post February 25, 2019
    • > Import-Module NTFSSecurity
      Import-Module : Could not load file or assembly 'System.Windows.Forms, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089'. The system cannot find the file specified.
      At line:1 char:1
      + Import-Module NTFSSecurity
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : NotSpecified: (:) [Import-Module], FileNotFoundException
      + FullyQualifiedErrorId : System.IO.FileNotFoundException,Microsoft.PowerShell.Commands.ImportModuleCommand
    • Name                           Value
      ----                           -----
      PSVersion                      6.1.0
      PSEdition                      Core
      GitCommitId                    6.1.0
      OS                             Microsoft Windows 6.1.7601 S
      Platform                       Win32NT
      PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
      PSRemotingProtocolVersion      2.3
      WSManStackVersion              3.0
    • If ((Get-Item2 $Filename -ErrorAction SilentlyContinue).Name) {
         Write-Host "file exists"
  • Verified for Windows 10?
    1 Posts | Last post December 12, 2018
    • Greetings -- is this module verified to work with Windows 10?  The list at the bottom of the module page says no.  Thanks!
  • Why doesn't it work if there are spaces in the Group name
    1 Posts | Last post December 01, 2018
    • Why doesn't it work, if there are spaces in the group name, the top example works, but I only need the "Access Rights". The bottom example doesn't work at all and returns nothing.
      Get-NTFSAccess -Path \\netapp\some_share | Where-Object Account -EQ 'USERDomain\SomeGroup All RO'
      Get-NTFSAccess -Path \\netapp\some_share -Account 'USERDomain\SomeGroup All RO' 
  • Getting a weird error when trying to remove existing security
    7 Posts | Last post November 02, 2018
    • I run into an issue that very specific permissions can not be removed
      For a folder
      Account                             Access Rights  Applies to                Type           IsInherited   InheritedFrom
      -------                             -------------  ----------                ----           -----------   -------------
      S-1-5-21-2063348182-1302487865-4... GenericAll     FilesOnly                 Allow          False
      Remove-NTFSAccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
      Code is reading the security entries, selecting specific unwanted entries and try to remove them by passing them with '$entry | remove-ntfsaccess'
    • I'm getting the same error message.  It seems to be limited to the "GenericAll" AccessRight.  For me, I'm seeing the error if I try to the remove the ACE for "Creator Owner" that is, by default granted "Generic All" to "SubfoldersAndFiles".
    • For the record, I did confirm that I'm using the 4.2.3 version of the module
    • Can you help me reproducing the issue? I have tried this but it worked as expected:
      I have given an account permissions by using the enum value directly and Get-NTFSAccess showed that the permissions was added:
      Add-NTFSAccess -Path D:\test -Account install -AccessRights 269484032
      Get-NTFSAccess -Path D:\test -Account install
      Account                             Access Rights                Applies to            
      -------                             -------------                ----------            
      RAANDREE1\Install                   FullControl                  ThisFolderOnly        
      RAANDREE1\Install                   Synchronize, GenericAll      SubfoldersAndFilesOnly
      Piping the ACE to Remove-NTFSAccess worked as well as providing the values by parameters:
      Get-NTFSAccess -Path D:\test -Account install | Remove-NTFSAccess
      Remove-NTFSAccess -Path D:\test -Account install -AccessRights 269484032
    • I get this same error when trying to remove 'Creator Owner'
      Get-NTFSAccess -Path E:\inetpub\wwwroot\APP -Account 'Creator Owner'  | Remove-NTFSAccess
      Remove-NTFSAccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
      Parameter name: fileSystemRights
    • I can also get this error (same folder, different user or group)
      Remove-NTFSAccess : The value '-1609564160' is not valid for this usage of the type FileSystemRights.
    • Hi, I am facing the same issue.. created a DATA folder on D:\ , disabled Inheritance and tried to remove Creator Owner. 
      Remove-NTFSAccess -Path G:\Data -Account "CREATOR OWNER" -AccessRights FullControl
      - No error appeared, but account didn't disappear from ACL list
      Get-NTFSAccess .... |Remove-NTFSAccess Failed with error: Remove-NTFSAccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
      As a workaround I changed the order for new permissions:
      1. Add new permissions for System, Administrators, domain users
      2. Disable Inheritance with RemoveInheritedAccessRules flag
      - In this case, CreatorOwner disappears and ACL contains System, Admins and domain users only
1 - 10 of 219 Items