Wednesday, 11 March 2015

Get NTFS File Permissions with PowerShell script

We can read the owner and permissions of a file, folders and registry keys with Powershell’s Get-Acl cmdlet. In this article, I am going to write poweshell script samples to read file permissions, folder level permissions and export folder level permissions to csv file.


The below command read and list the permissions of the folder.
Get-Acl -path "C:\Windows"
The above command displays Access Control List as combined text. So the output may not give clear idea about who has what permissions. We can get clear ACL information by expanding the individual ACEs (access control entries) using the parameter expand
Get-Acl -path "C:\Windows" | Select -expand Access 
When you read permissions by using Get-Acl cmdlet, you can notice some of the entries display the number 268435456 as FileSystemRights. This number is nothing but the Full Controll permission. (Powershell can't resolve following special permissions: Modify, Delete, FullControl -> -1610612736, –536805376, and 268435456).

Read NTFS File Permissions with filter in PowerShell:

You can filter files in the provider's format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. The following script get permissions of all the files under the directory C:\Windows.
Get-Acl C:\Windows\*.* | FL
The following script read permissions of all the log files under the directory C:\Windows.
Get-Acl C:\Windows\*.log | FT
The following script read permissions of all the files from the directory C:\Share and its sub-directory by recursively. The where filter $_.PsIsContainer -eq $false excludes the folders and list only files.
Get-ChildItem "C:\Share" -recurse |  where {$_.PsIsContainer -eq $false} | Get-Acl | FT

Read NTFS Folder Level Permissions in PowerShell:

The following PowerShell command read all the sub folders from C:\Share by recursively and list the permissions of the sub folders. The where filter $_.PsIsContainer -eq $true excludes the files and list only folders.
Get-ChildItem "C:\Share" -recurse | where {$_.PsIsContainer -eq $true} | Get-Acl | FT

Export Folder Permissions to CSV with PowerShell:

The following PowerShell script will export all NTFS Folder permissions to a CSV file. Change the $RootPath variable to your own root folder path that you want to export permissions . You can also change the name and location of the CSV file by modifying the $CSV_File_Path variable.
$CSV_File_Path = "C:\Permissions.csv"
$Header = "Folder Path,Identity Name,Access,IsInherited,InheritanceFlags,PropagationFlags"

If (Test-Path $CSV_File_Path){
 Remove-Item $CSV_File_Path

Add-Content -Value $Header -Path $CSV_File_Path 

$RootPath = "C:\Share"

$Folders = Dir $RootPath -recurse | where {$_.PsIsContainer -eq $true}

foreach ($Folder in $Folders){
 $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
 foreach ($ACL in $ACLs){
 $permission = $Folder.Fullname + "," + $ACL.IdentityReference  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
 Add-Content -Value $permission -Path $CSV_File_Path


No comments:

Post a Comment