PowerShell Script: Setting NTFS Permissions in Bulk

Today I wrote this PowerShell script to apply a same set of NTFS permission for a particular user or group to a list of folders. It reads the list of folders from a file that is specified from a parameter, apply the permission which is also specified  from parameters. The useage is as follow:

.\BulkSet-NTFSPermissions.ps1 -FolderListFile x:\xxxx\xxxx.txt -SecIdentity “Domain\Group” -AccessRights “FullControl” -AccessControlType “Allow”

  • FolderListFile: a flat text file containing the list of path that need to apply the NTFS permission. It needs to list one folder per line. the path can be a absolute local path such as C:\temp or a UNC path such as \\computer\C$\temp.
  • SecIdentity: The security identity (such as a user account or a security group) the permission is applied for.
  • AccessRights: type of access rights, such as FullControl, Read, ReadAndExecute, Modify, etc..
  • AccessControlType: Allow or Deny

This script checks the permission before applying for it. if the user / group already has the permission that we specified to a folder from the list, it will skip this folder and move to the next one. I had to use this script to grant a group full control rights to over 9000 folders. It only took around 40 minutes to run. I was very impressed!

18 comments

  1. Hi, i thought i might be able to modify your script – but I just can’t work it out. Have looked at powershell and vb script but it seems very complicated.

    I have a fileserver and need to change the structure and make every file/folder read-only from the top down. I could just set it to read only at the root directory but of course I need to maintain the security groups and users for what has already been defined on folders. We are implementing a new document management system which is why i need to do this.

    Any idea how I could go about this one…???
    Thanks for any help!

    1. Hi egs,

      You can firstly apply your desired permission on your root folder. then prepare a list using this powershell command:
      Get-ChildItem -path [root folder] -recurse | where-object {$_.PSIscontainer} | select Fullname | out-file C:\temp\list.txt

      and pass C:\temp\list.txt into my script (dont forget to firstly remove the header from C:\temp\list.txt first).

      Good Luck
      Tao

    2. same here. Some time it won’t work to modify other’s scripts.
      I got some error after modifying Tao’s PS, it applied the permission but saying Test Path not exist.
      Test-Path : Cannot bind argument to parameter ‘Path’ because it is an empty string.
      At C:\scripts\BulkSet-NTFSPermissions.PS1:48 char:16
      + if (Test-Path $Folder)
      + ~~~~~~~
      + CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingValidationException
      + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.TestPathC
      ommand

  2. Thanks for the nice script. Quick question about the -AccessRights switch. Where can I find out what I’m allowed to set here? I’m looking for granular settings, but I’m not sure how to add them with this script.

    Cheers,
    Matt

      1. That’s exactly what I was looking for. Thanks a million. You had to modify 9000…, I have to do triple that ;-). Thanks again for sharing!

        Cheers,
        Matt

  3. Do you know if it’s possible to apply permissions using a script based on the folder level? For instance, X:\level-01\level-02\level-03…

    I would like use the same AD groups for all three levels. However, only select groups will have “modify” permissions to level-01 and level-02, while the others will have “read-only”. However, I need all groups to have “modify” permissions on level-03.

    Currently, we have the following
    1 x Level-01 folder
    1,200 x Level-02 folders
    10+ x Level-03 folders per Level-02 folder

    If you know of anyway to automate this process, I would greatly appreciate your help in pointing me in the right direction. As of now, I am considering the use of CACLS.exe and AutoIT to automate the process by reading in the folder structure and then applying the CACLS script as needed.

    Thank you.

  4. Do you know how to collect folder level NTFS permissions and aggregate the information with SCCM?

    I have tried to collect this information with a vb script which writes to WMI and is collected with a hardware inventory. However, The information being returned doesn’t seem to match the NTFS permissions.

    1. Hi Scott,

      Sorry, I have never done anything like that before. What’s the reason behind that? if you just need to set a standard NTFS permission (rather than reporting it), maybe just create a GPO to set it?

  5. Hi guys;

    Iam new to PS and I was wondering if anyone can help me in this; I need to grand “list folder contents” permissions to G1 over folder F1, and inside F1 I have F2 which I need the same group G1 to have R/W permissions. Can anyone assist me on this? it would be really so much appreciated.

    Best Regards;
    Hisham

  6. Thanks for the script. This should do exactly what I want…
    I’m hitting an issue though with the initial execution. I’m receiving an access denied error.

    PS C:\Scripts\folder> .\BulkSet-NTFSPermissions.ps1 -FolderListFile “d:\Folder” -SecIdentity “DOMAIN\GROUP” -AccessRights “Modify” -AccessControlType “Allow”

    #####################################################################
    Folder List File: D:\folder
    Security Identity: DOMAIN\GROUP
    Access Rights: Modify
    Access Control Type: Allow
    #####################################################################

    Get-Content : Access to the path ‘d:\folder’ is denied.
    At C:\Scripts\BulkSet-NTFSPermissions.PS1:42 char:27
    + $arrFolders += Get-Content <<<< $FolderListFile
    + CategoryInfo : PermissionDenied: (d:\folder:String) [Get-Content], Unauthorized
    AccessException
    + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand

    Not sure where to go from here. Thoughts?

    1. James, -FolderListFile argument should be a flat text file that contains a list of folders that you wish to modify, not the folder itself.

  7. Great script, thanks… I have 1200 user home folders to mod 🙁
    The folder names match the logon names and I need to grant full access to fold for that user.. My question is how do I pass at txt file of usernames to the script.

    eg

    grant pete.marsh full access to c:\pete.marsh…. ect

  8. Hi Tao, thank you I’ve found this script very useful, one query: is there a simple way that this script can be adapted to force permissions on folders where inheritence is switched off?

  9. You made my day. A customer used a folder structure like this:

    – Project 1 (access for group “Data Share”)
    — Project Costs (inherited group “Data Share”, but should only allow access for group “Costs”)

    By modifying your script I removed inheritance from hundreds of subfolders, and then (with RemoveAccessRule instead of AddAccessRule) removed the groups that mustn’t have access to the “Costs” folder. This would have occupied me for hours and your script did it in seconds. Thank you so much!

Leave a Reply

%d bloggers like this: