Adding and Resetting NTFS Permissions

by May 20, 2014

Whether you want to add a new NTFS access rule to a file or turn off inheritance and add new rules, here is a sample script that illustrates the trick and can serve you as a template.

The script creates a test file, then defines a new access rule for the current user. This rules allows read and write access. The new rule is added to the existing security descriptor. In addition, inheritance is turned off.

# create a sample file to apply security rules to
$Path = "$env:temp\examplefile.txt"
$null = New-Item -Path $Path -ItemType File -ErrorAction SilentlyContinue

# use current user or replace with another user name
$username = "$env:USERDOMAIN\$env:USERNAME"

# define the new access rights
$colRights = [System.Security.AccessControl.FileSystemRights]'Read, Write' 
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None 
$objType =[System.Security.AccessControl.AccessControlType]::Allow 
$objUser = New-Object System.Security.Principal.NTAccount($username) 

# create new access control entry
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
    ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 

# get existing access control list for a file or folder
$objACL = Get-Acl -Path $Path 

# add rule

# disable inheritance (if needed)
$objACL.SetAccessRuleProtection($true, $false)

# apply changed access control list to file
Set-Acl -Path $Path -AclObject $objACL

# show file in the File Explorer
explorer.exe "/SELECT,$Path"

Once completed, the script opens the test file in the File Explorer and selects it. You can then right-click the file and choose Properties > Security to view the new settings.

To find out the available access rights, in the ISE editor type in this line:

This will automatically open the context menu and lists all available settings.

Twitter This Tip! ReTweet this Tip!