business.com receives compensation from some of the companies listed on this page. Advertising Disclosure

How to Manage File System ACLs With PowerShell

Updated Aug 03, 2023

Table of Contents

Open row

Managing permissions on files and folders can be an enormous time drain for IT professionals. Users have home folders; departments have proprietary folders; projects have unique folders — it goes on and on. Not everyone should have access to every folder, so permissions are crucial. 

Fortunately, PowerShell modules can streamline and automate permission management to save time and improve your organization’s access control practices. 

Did You Know?Did you know

Scripting languages like Microsoft PowerShell improve permission management efficiency and accuracy while making routine tasks simpler and more reliable.

Changing ACLs for folders and files

There are three stages involved with changing access control lists (ACLs) for files and folders with PowerShell. This is similar to the three-stage process you’d use to remotely invoke applications with PowerShell

The three stages are outlined below.

1. Getting the current ACL

Before you can change an ACL, you must first access the existing one. There are two ways to do this with PowerShell:

  • Use the Get-Acl 
  • Use the GetAccessControl()

Many programmers recommend the GetAccessControl() method. Get-Acl is handy; however, due to some limitations, it’s not quite as smart as GetAccessControl(). For this reason, we’ll show you how to get the current ACL using the GetAccessControl() method.

Here’s how it works:

ACL code

You now have the code to find the ACL in a single folder. Next, expand this to find ACLs for all home folders. If you use Get-ChildItem and the Directory parameter to exclude files instead of Get-Item, you can find ACLs on all home folders:

ACL script example

TipBottom line

When writing your script, test it first in a single folder. If it behaves the way you want it to, expand it to more folders with confidence.

2. Modifying the ACL

The next step is modifying the ACL on each folder. You must ensure that the owner of each home folder is the only user with access to their folder. Luckily, the folder owner is also the folder name, which makes checking permissions easy.

PC homefolders

You’ll need to grab that folder name and use it to create another entry in the ACL. Unfortunately, the script will have to get a little more complicated:

$HomeFolders = Get-ChildItem C:Homefolders -Directory
foreach ($HomeFolder in $HomeFolders) {
$Path = $HomeFolder.FullName
$Acl = (Get-Item $Path).GetAccessControl(‘Access’)
$Username = $HomeFolder.Name
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, ‘Modify’,                 ‘ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)
$Acl.SetAccessRule($Ar)
Set-Acl -path $Path -AclObject $Acl
}

Pay particular attention to the following line in the script — it can be more challenging to comprehend:

$Ar = New-Object
System.Security.AccessControl.FileSystemAccessRule($Username, ‘Modify’, ‘ContainerInherit,ObjectInherit’, ‘None’, ‘Allow’)

3. Setting the new ACL

Access control entries (ACEs) are the individual rights inside an ACL. An ACE can also be called a FileSystemAccessRule. This is a .NET object that has five parameters;

  1. Security identifier ($Username)
  2. The right (Modify)
  3. Inheritance settings (ContainerInherit,ObjectInherit), which force all folders and files underneath the folder to inherit its new permissions.
  4. Propagation settings (None). This parameter means nothing will interfere with the inheritance settings.
  5. Type (Allow).

The remaining lines take the $Ar FileSystemAccessRule object, add it to the ACL, and commit the ACL back to the disk. The way this script commits is similar to the process of installing Windows patches with PowerShell — another example of how PowerShell is great for system admin tasks.

If you use GetAccessControl() and Set-Acl, you can perform any number of other actions on ACLs, such as adding new ones as explained above, as well as removing old ones or modifying existing ACLs. 

Did You Know?Did you know

The FileSystemAccessRule object in PowerShell is a set of access control rights for users or groups. This is one of a number of .NET objects that PowerShell can interact with.

The benefits of using PowerShell to manage file system ACLs

Using PowerShell to manage file system ACLs has two distinct advantages: 

  • Saving time. PowerShell streamlines the process of managing file system permissions, which saves you time and headaches. 
  • Improving security. PowerShell can help you increase business security through access control. 

1. PowerShell can streamline the process of managing file system ACLs. 

Changing permissions on a single folder is a cinch in Windows:

  • Right-click a folder.
  • Go to Security.
  • Change the folder’s permissions.

Permissions for ACL test

But when you’ve got thousands of folders to change, this process becomes impractical and a huge time drain for IT professionals. 

For example, say you have a company file server that houses all employees’ home folders. Each employee must have Modify access to their folder, and administrators must have Full Control over all folders. You may have the server built and all folders created, but you then have the monumental task of ensuring NTFS permissions are set correctly on each folder. 

PowerShell automates this process and saves your IT team valuable time. 

2. PowerShell permissions can boost your organization’s security.

Ensuring only the right people have access permissions to file servers keeps your IT infrastructure compliant with GDPR and HIPAA. Additionally, it helps protect against data breaches by ensuring the wrong people don’t access your customers’ sensitive data and financial information.

PowerShell can manage file system ACLs to make ensuring correct permissions and protecting your organization’s data easy. 

Mark Fairlie contributed to this article.

Adam Bertram
Contributing Writer
Adam Bertram is a 20-year veteran of IT and experienced online business professional. He's an entrepreneur, IT influencer, Microsoft MVP, blogger, trainer and content marketing writer for multiple technology companies. Adam is also the founder of the popular IT career development platform TechSnips. Catch up on Adam's articles at adamtheautomator.com, connect on LinkedIn, or follow him on Twitter at @adbertram or the TechSnips Twitter account at @techsnips_io.
BDC Logo

Get Weekly 5-Minute Business Advice

B. newsletter is your digest of bite-sized news, thought & brand leadership, and entertainment. All in one email.

Back to top