Get NTFS File Permissions with PowerShell script

We can read the owner and permissions of a file, folders and registry keys with Powershell’s Get-Acl cmdlet. In this article, I am going to write poweshell script samples to read file permissions, folder level permissions and export folder level permissions to csv file.

The below command read and list the permissions of the folder.

Get-Acl -path "C:\Windows"

The above command displays Access Control List as combined text. So the output may not give clear idea about who has what permissions. We can get clear ACL information by expanding the individual ACEs (access control entries) using the parameter expand

Get-Acl -path "C:\Windows" | Select -expand Access

When you read permissions by using Get-Acl cmdlet, you can notice some of the entries display the number 268435456 as FileSystemRights. This number is nothing but the Full Controll permission. (Powershell can’t resolve following special permissions: Modify, Delete, FullControl -> -1610612736, –536805376, and 268435456).

Read NTFS File Permissions with filter in PowerShell

You can filter files in the provider’s format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. The following script get permissions of all the files under the directory C:\Windows.

Get-Acl C:\Windows\*.* | FL

The following script read permissions of all the log files under the directory C:Windows.

Get-Acl C:\Windows\*.log | FT

The following script read permissions of all the files from the directory C:Share and its sub-directory by recursively. The where filter $_.PsIsContainer -eq $false excludes the folders and list only files.

Get-ChildItem "C:\Share" -recurse |  where {$_.PsIsContainer -eq $false} | Get-Acl | FT

Read NTFS Folder Level Permissions in PowerShell

The following PowerShell command read all the sub folders from C:Share by recursively and list the permissions of the sub folders. The where filter $_.PsIsContainer -eq $true excludes the files and list only folders.

Get-ChildItem "C:\Share" -recurse | where {$_.PsIsContainer -eq $true} | Get-Acl | FT

Export Folder Permissions to CSV with PowerShell

The following PowerShell script will export all NTFS Folder permissions to a CSV file. Change the $RootPath variable to your own root folder path that you want to export permissions . You can also change the name and location of the CSV file by modifying the $CSV_File_Path variable.

$CSV_File_Path = "C:\Permissions.csv"
$Header = "Folder Path,Identity Name,Access,IsInherited,InheritanceFlags,PropagationFlags"

If (Test-Path $CSV_File_Path){
 Remove-Item $CSV_File_Path
}

Add-Content -Value $Header -Path $CSV_File_Path 

$RootPath = "C:\Share"

$Folders = Dir $RootPath -recurse | where {$_.PsIsContainer -eq $true}

foreach ($Folder in $Folders){
 $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
 foreach ($ACL in $ACLs){
 $permission = $Folder.Fullname + "," + $ACL.IdentityReference  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
 Add-Content -Value $permission -Path $CSV_File_Path
 }}

3 thoughts on “Get NTFS File Permissions with PowerShell script”

Anonymous

November 21, 2018 at 10:46 pm

It would be fun to update this so that if the child permission is the same as the parent, then the add-content is skipped.
Jeff Sepeta

November 2, 2021 at 8:36 pm

typo
Get-Acl C:Windows*.* | FL

should be
Get-Acl C:\Windows\*.* | FL
- Morgan
  
  November 15, 2021 at 12:09 pm
  
  Thank you. Updated now.

Summary:

Read NTFS File Permissions with filter in PowerShell

Read NTFS Folder Level Permissions in PowerShell

Export Folder Permissions to CSV with PowerShell

Share this:

Related Posts

3 thoughts on “Get NTFS File Permissions with PowerShell script”

Leave a Comment Cancel reply