PowerShell Script: Setting NTFS Permissions in Bulk
Today I wrote this PowerShell script to apply a same set of NTFS permission for a particular user or group to a list of folders. It reads the list of folders from a file that is specified from a parameter, apply the permission which is also specified from parameters. The useage is as follow:
.\BulkSet-NTFSPermissions.ps1 -FolderListFile x:\xxxx\xxxx.txt -SecIdentity “Domain\Group” -AccessRights “FullControl” -AccessControlType “Allow”
- FolderListFile: a flat text file containing the list of path that need to apply the NTFS permission. It needs to list one folder per line. the path can be a absolute local path such as C:\temp or a UNC path such as \\computer\C$\temp.
- SecIdentity: The security identity (such as a user account or a security group) the permission is applied for.
- AccessRights: type of access rights, such as FullControl, Read, ReadAndExecute, Modify, etc..
- AccessControlType: Allow or Deny
This script checks the permission before applying for it. if the user / group already has the permission that we specified to a folder from the list, it will skip this folder and move to the next one. I had to use this script to grant a group full control rights to over 9000 folders. It only took around 40 minutes to run. I was very impressed!
Tags: NTFS Permission, Powershell
-
- Subscribe via RSS
Featured
Archives
- February 2012 (1)
- January 2012 (9)
- December 2011 (1)
- November 2011 (1)
- October 2011 (5)
- September 2011 (1)
- August 2011 (4)
- July 2011 (2)
- June 2011 (3)
- May 2011 (7)
- April 2011 (2)
- March 2011 (1)
- February 2011 (2)
- January 2011 (3)
- November 2010 (3)
- September 2010 (3)
- August 2010 (3)
- July 2010 (9)
- June 2010 (3)
Categories
- Active Directory (1)
- DNS (1)
- Hyper-V (1)
- Microsoft Exchange (1)
- Others (4)
- PowerShell (27)
- SCCM (21)
- SCOM (25)
- SQL Server (1)
- VBScript (1)
- Windows (2)
Tags
32 bit Powershell 70-400 Alerts Asset Intelligence Console Crash Daylight Saving Email Notifications Emails Exams Exchange 2007 Exchange 2010 Export-Mailbox Failover Management Servers Featured Hardware Inventory Health Check Inventory Mailbox Archive Management Pack MOM Morning Check MP Authoring NTFS Permission Powershell Powershell Execution Policy Primary Management Server remote execution policy SCCM SCCM Reporting SCCM Reports SCOM SCOM agent assignments SCOM Migration Site Roles SMTP Stopping MOM Agents TCP/IP TMG Update URL Encoding Validate Subnet Mask VBScript Web Console Windows Build Script Windows Scheduled TasksFriends Blogs
Recommended Sites
Recent Comments
6 Comments
Hi, i thought i might be able to modify your script – but I just can’t work it out. Have looked at powershell and vb script but it seems very complicated.
I have a fileserver and need to change the structure and make every file/folder read-only from the top down. I could just set it to read only at the root directory but of course I need to maintain the security groups and users for what has already been defined on folders. We are implementing a new document management system which is why i need to do this.
Any idea how I could go about this one…???
Thanks for any help!
Hi egs,
You can firstly apply your desired permission on your root folder. then prepare a list using this powershell command:
Get-ChildItem -path [root folder] -recurse | where-object {$_.PSIscontainer} | select Fullname | out-file C:\temp\list.txt
and pass C:\temp\list.txt into my script (dont forget to firstly remove the header from C:\temp\list.txt first).
Good Luck
Tao
Thanks for the nice script. Quick question about the -AccessRights switch. Where can I find out what I’m allowed to set here? I’m looking for granular settings, but I’m not sure how to add them with this script.
Cheers,
Matt
Matt, It uses .NET class System.Security.AccessControl.FileSystemAccessRule to set the ACL.
For the full listing of the rights you can set, please take a look at here:
http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx
Good luck.
That’s exactly what I was looking for. Thanks a million. You had to modify 9000…, I have to do triple that
. Thanks again for sharing!
Cheers,
Matt
Do you know if it’s possible to apply permissions using a script based on the folder level? For instance, X:\level-01\level-02\level-03…
I would like use the same AD groups for all three levels. However, only select groups will have “modify” permissions to level-01 and level-02, while the others will have “read-only”. However, I need all groups to have “modify” permissions on level-03.
Currently, we have the following
1 x Level-01 folder
1,200 x Level-02 folders
10+ x Level-03 folders per Level-02 folder
If you know of anyway to automate this process, I would greatly appreciate your help in pointing me in the right direction. As of now, I am considering the use of CACLS.exe and AutoIT to automate the process by reading in the folder structure and then applying the CACLS script as needed.
Thank you.