≡ Menu

Grant FullControl Permission to User/Group on File/Folder using Powershell

In today’s article, let us see how to grant NTFS full permissions to a user account on list of files using PowerShell.

We know that permissions of a file or folder can be read using the Get-ACL cmdlets. When ran against a file/folder it lists the permissions like below.

Tip : You might have noticed that I am selecting AccessToString property to display the permissions in a readable manner. If you try to select the Access property alone, it will return the ACL object which doesn’t make sense unless you interpret them.

If we want to grant a new user(assume AD\Testuser1) to permissions of the file with FullControl, then first we have a create a ACL that we want to add.

$rule=new-object System.Security.AccessControl.FileSystemAccessRule ("mydomain\testuser1","FullControl","Allow")

It is as simple as above command. You can play with changing Username and type of permissions to customize your ACL. Once your acl is ready, then you need to read what the existing ACL of the file is. You can do that using simple Get-ACL cmdlets like below

$acl = Get-ACL c:\local\me.txt

Once we have the ACL list of the file, it is the time to update it with the new ACL entry we created. It can be done calling SetAccessRule function as specified below.

$acl.SetAccessRule($rule)

Now we the ACL list updated and we should apply the new ACL to the file. It can be done with Set-ACL cmdlets.

Set-ACL -Path C:\local\me.txt -AclObject $acl

Below is the nice PS function built with the help of above code to add any given user/group to security permissions of a file/folder.

function Grant-userFullRights {            
 [cmdletbinding()]            
 param(            
 [Parameter(Mandatory=$true)]            
 [string[]]$Files,            
 [Parameter(Mandatory=$true)]            
 [string]$UserName            
 )            
 $rule=new-object System.Security.AccessControl.FileSystemAccessRule ($UserName,"FullControl","Allow")            

 foreach($File in $Files) {            
  if(Test-Path $File) {            
   try {            
    $acl = Get-ACL -Path $File -ErrorAction stop            
    $acl.SetAccessRule($rule)            
    Set-ACL -Path $File -ACLObject $acl -ErrorAction stop            
    Write-Host "Successfully set permissions on $File"            
   } catch {            
    Write-Warning "$File : Failed to set perms. Details : $_"            
    Continue            
   }            
  } else {            
   Write-Warning "$File : No such file found"            
   Continue            
  }            
 }            
}

Output:

In the above output I have added a local account (SITARAM\Administrator) to the permissions of c:\local\me.txt file

Hope this helps and happy reading.

Comments on this entry are closed.

  • Marc April 11, 2016, 5:57 pm

    This is so awsome! 🙂 Thanks a lot!
    Helps me a lot!!!!

  • Maram June 14, 2016, 11:11 pm

    Thank you so much..
    but I did not understand how to change it to work on my script..
    my active directory name is Formation.lan

    1-how to apply this on it.
    2-how to create Roaming profile

    please help

  • Azamat April 24, 2018, 12:16 pm

    This certainly works, but it’s extreeeemely slow (hours to execute) on very few GB folder.
    Any workaround for this?

    • Wintel Rocks May 29, 2018, 6:04 pm

      ACL processing is generally time consuming. I would recommend you to explore PowerShell jobs to start multi-threads.

  • Yosman May 17, 2019, 6:41 pm

    If I would like to restore all the acls based on folder name, how would I go about it in an AD environment?

    example: if folder name = %username% then add %username% full access

    Does that make sense?

    Cheers!!

    • Wintel Rocks May 18, 2019, 7:16 am

      I think you can try something like below if I understood your requirement correctly. Below sample assumes that all your folders are directly placed under c:\project folder. Also change the “mydomain” to match your actual domain name. Make sure test it with few folders first before thinking about wider deployment.

      $folders = Get-ChildItem -Path c:\project | ? {$_.PSIsContainer -eq $True}

      foreach($folder in $folders) {
      $Username = “mydomain\{0}” -f $folder.name
      Grant-userFullRights -Files $Folder.FullName -UserName $UserName
      }