How to Manage File System ACLs With PowerShell

What makes PowerShell suitable for managing file system ACLs

According to Jason Wingate, the CEO of marketing firm Emerald Ocean Ltd. and a veteran of enterprise IT implementations, managing file system ACLs and permissions properly isn’t just about keeping things secure — it also keeps your business running smoothly. “PowerShell is essential for handling permissions at scale without [messing] things up,” Wingate said. 

Parv Sangha, senior solutions architect at engineering and professional services firm WSP, agrees that PowerShell can help you manage permissions efficiently through a clear and straightforward process. “I like using PowerShell to manage folder and file permissions because automation saves time, especially when working with large or complex folder structures,” Sangha said.

While PowerShell is a powerful tool for managing file system permissions, Joey D’Antoni, principal cloud architect and Microsoft Data Platform MVP at DesignMind, suggests it isn’t always the first choice. 

“PowerShell is but one tool in the stack here—it gives you a framework for managing file system permissions, but I wouldn’t say it’s a go-to solution overall. For example, if I needed to do the functional equivalent of a chmod in Windows I can do ICACLS (Set-ACL), but I’ve been writing PowerShell for over a decade and I’ve rarely used it. The better tools for that in the Windows ecosystem are Active Directory group policy and the use of dynamic groups.”

How to change ACLs for folders and files with PowerShell

The process of changing ACLs for folders and files with PowerShell involves three stages, similar to the process used to remotely invoke applications with PowerShell. 

D’Antoni advises taking an incremental approach when making ACL changes. “Be careful—changing file system permissions at scale is one of the easiest ways to break a critical service like SQL Server—or any other service that’s running that may be connecting to files that the service depends on,” he said. “It’s best to work incrementally and test a lot before deploying large ACL changes.”

The three stages are outlined below.

1. Getting the current ACL

Before you can change an ACL, you must first access the existing one. 

There are two ways to access the existing ACL with PowerShell:

• The Get-Acl method
• The GetAccessControl() method

Many programmers recommend the GetAccessControl() method. Get-Acl is handy, but, due to some limitations, it’s not quite as robust as GetAccessControl(). For that reason, we’ll show you how to get the current ACL using the GetAccessControl() method.

Here’s how it works:

You now have the code to find the ACL in a single folder. Next, expand it to find ACLs for all home folders. If you use Get-ChildItem and the Directory parameter to exclude files instead of Get-Item, you can find ACLs on all home folders.

2. Modifying the ACL

The next step is modifying the ACL on each folder. You must ensure that the owner of each home folder is the only user with access to their folder. Luckily, the folder owner is also the folder name, which makes checking permissions straightforward.

You’ll need to grab that folder name and use it to create another entry in the ACL. Unfortunately, the script will have to get a little more complicated.

$HomeFolders = Get-ChildItem C:\Homefolders -Directory

foreach ($HomeFolder in $HomeFolders) {

$Path = $HomeFolder.FullName

$Acl = (Get-Item $Path).GetAccessControl(‘Access’)

$Username = $HomeFolder.Name

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, ‘Modify’,                 ‘ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

$Acl.SetAccessRule($Ar)

Set-Acl -path $Path -AclObject $Acl

}

Pay particular attention to the following line in the script. It can be more challenging to understand.

$Ar = New-Object

System.Security.AccessControl.FileSystemAccessRule($Username, ‘Modify’, ‘ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

Sangha emphasized that PowerShell scripts must be robust and reliable when adjusting permissions. “When developing scripts, be sure to include error handling to prevent them from crashing during execution,” he said. “I always prefer logging failures and errors to a separate file, making it easier to review and address them.”

3. Setting the new ACL

Access control entries (ACEs) are the individual rights inside an ACL. An ACE can also be called a FileSystemAccessRule. This is a .NET object that has five parameters:

1. Security identifier: ($Username)
2. The right: (Modify)
3. Inheritance settings: (ContainerInherit,ObjectInherit) — forces all folders and files underneath the folder to inherit its new permissions
4. Propagation settings: (None) — ensures nothing interferes with the inheritance settings
5. Type: (Allow)

The remaining lines take the $Ar FileSystemAccessRule object, add it to the ACL, and commit the ACL back to the disk. This script’s commit process is similar to installing Windows patches with PowerShell — another example of how PowerShell is great for system admin tasks.

Using GetAccessControl() and Set-Acl, you can perform various actions on ACLs, such as adding new ones (as explained above), removing old ones, or modifying existing ones. 

Sangha recommends testing changes with the -WhatIf parameter to prevent mistakes. “In the past, I’ve been asked to provide NTFS permission reports for auditing purposes,” he said. “With a simple PowerShell script, I was able to recursively loop through a folder and export the access permissions to a CSV file. The data owner reviewed the CSV file, identified unnecessary permissions, and we cleaned it up with another PowerShell script.”

Wingate also recommends using the -WhatIf parameter. “When I was implementing warehouse management systems, one wrong permission could shut down operations completely,” he said. “That’s why I love PowerShell’s -WhatIf parameter. It lets us test changes before they go live. This feature has stopped so many potential disasters by allowing us to see what would happen before making any actual changes.”

D’Antoni notes that automating access rule management with PowerShell can be particularly helpful in certain environments. “In an environment that was managed manually, it could be very useful to automate using PowerShell and also provide a good backup for auditing user access,” he explained. “Where this can be helpful is in newer environments where Active Directory doesn’t exist, as Intune does not natively support granular file share permissions, meaning that admins tend to have to script out more of their workflows.”

The benefits of using PowerShell to manage file system ACLs

Using PowerShell to manage file system ACLs can help you save time and improve business security. Below are more details about these advantages.

1. PowerShell can streamline the process of managing file system ACLs. 

Changing permissions on a single folder is a cinch in Windows.

• Right-click a folder.
• Go to Security.
• Change the folder’s permissions.

But when you have thousands of folders to change, that process becomes impractical and a huge time drain for IT professionals. 

Say, for example, you have a company file server that houses all employees’ home folders. Each employee must have Modify access to their folder, and administrators must have Full Control over all folders. Even if the server is built and all folders are created, you still face the monumental task of ensuring NTFS permissions are set correctly on each folder. 

PowerShell automates that process and saves your IT team valuable time. “PowerShell can handle large-scale changes while keeping everything precise,” Wingate said. “In enterprise systems, you need both speed and accuracy. PowerShell gives you both, plus a clear record of what changed. That’s why it’s become such a critical tool in managing IT infrastructure.”

2. PowerShell permissions can boost your organization’s security.

Ensuring that only the right people have access permissions to file servers helps keep your IT infrastructure compliant with GDPR and HIPAA laws. Additionally, it helps protect your business from data breaches by preventing unauthorized access to sensitive customer data and financial information.

PowerShell can efficiently and effectively manage file system ACLs, making it easier to ensure correct permissions and safeguard your organization’s data.

Best practices for managing file system ACLs with PowerShell

Our experts offered the following advice: 

• Prepare and research before beginning. Wingate stressed that newer PowerShell users should research and prepare before changing file system ACLs. “Start by reading and understanding current permissions,” he said. Get really comfortable and build test cases. The time you spend testing is nothing compared to the nightmare of fixing permission mistakes.” D’Antoni explains, “Managing file system ACLs is just one step of many to help prevent lateral movement by an attacker as well as protect sensitive data against insider threats. “ Following the principle of least privileges is always a best practice in terms of IT security.”
• Test and implement backup strategies. Sangha recommends that new users test and implement backup strategies. “Always test your scripts before executing them in production, and be sure to back up existing ACLs using the Export-Clixml cmdlet,” he said. “In the event you need to roll back changes, you can reapply the original ACLs using the Import-Clixml cmdlet.” Wingate agrees that backing up permissions is crucial. “Always back up your permissions first,” he said. “I’ve seen too many admins skip this step and regret it.”
• Don’t rush the process. Wingate emphasized that rushing changes can lead to significant issues. “I once watched an admin try to fix permissions across thousands of files without proper validation,” he said. “It took a long time to clean up that mess. That’s why I always insist on thorough sandbox testing before touching production.”
• Document the process. Wingate also stressed the importance of documentation. ”Document everything with detailed logs too,” he said. “You’ll thank yourself during audits and troubleshooting.”
• Plan ahead. Sangha emphasized that planning ahead for script execution is key. “Don’t underestimate the time it takes for your scripts to run,” he said. “Spend time benchmarking and estimating execution times so you can plan your deployments accordingly. Keep in mind that large folder structures with deep hierarchies and complex ACL rules will take more time to process.”
• Avoid doing too much at once. D’Antoni highlights a key mistake that users should avoid: “I think trying to do too much at once or trying to clean up permissions before fully understanding the impact. That’s the most common mistake I’ve seen across clients in this space, whether it be Windows or Linux, PowerShell or Security.” He advises taking a measured approach and fully assessing potential changes before implementation to save significant time and effort later.

Mark Fairlie contributed to this article.