Applying NTFS Permissions

Tobias — Wed, 21 Sep 2011 10:21:00 GMT

Recently, I needed to create a folder with NTFS permissions. PowerShell can do that for you, and when you look at your weapons, you'll find that sometimes it is best to mix command types and not just stick to cmdlets. At the end, I had a handy function that would take a path and a username and do all the tricky NTFS permissions stuff for me. Here is how.

Creating Folders

Let's start with the simple part and write a function that creates a folder if that folder does not yet exist:

function Create-Folder {
param($path)

if ( (Test-Path $path) -ne $true) {
New-Item -Path $path -ItemType Directory | Out-Null
}
}

Apply Permissions

Next, I want to add NTFS permissions to that folder. A specifc user should get change permission, and all Administrators should get full permission. There are cmdlets to do the job like Get/Set-ACL, but working with them can be hard because they really are just simple wrappers for low-level .NET methods.

PowerShell is not limited to cmdlets. You can happily use established console-based applications like cacls.exe. Here is an example:

function Create-Folder {
param($path, $user)

if ( (Test-Path $path) -ne $true) {
New-Item -Path $path -ItemType Directory | Out-Null
}

CACLS $path /G "Domain Admins":F
CACLS $path /E /G $user:C
}

As it turns out, this won't work yet. The first call to CACLS removes existing permissions which is what I want. However, this triggers a confirmation, so I would have to manually type "Y" to approve the operation. The second call to CACLS won't work at all. CACLS can't understand it, so it throws back its manual to the caller.

To correct these issues, a couple of tricks are needed. To automatically send a key to a confirmation, place it on the pipeline. And to resolve the syntax issue, submit arguments to CACLS as a string so PowerShell won't get confused:

function Create-Folder {
param($path, $user)

if ( (Test-Path $path) -ne $true) {
New-Item -Path $path -ItemType Directory | Out-Null
}

'y' | CACLS """$path"" /G ""Domain Admins"":R" | Out-Null
CACLS """$path"" /E /G ""$user"":F" | Out-Null
}

Now it is easy to create new folders and apply standard NTFS security:

Create-Folder -path c:\user1 -user mydomain\username

Careful!

Unfortunately, this approach is not culture-neutral. On non-US systems, you probably will want to change two things:

Make sure you use the correct name for the Admin group. On German systems, it is called "Domänen-Admins" instead of "Domain Admins"
Make sure you send the correct confirmation key. On German systems, it is "J" rather than "Y"

I know that sucks, but for a number of scenarios, incorporating tools like CACLS can simplify life tremendously. Learning points here are: console-based applications are (almost) equal PowerShell citizens. To submit arguments to them, you may have to turn them into a string in order to avoid parsing conflicts.

See you next time!

Tobias

Microsoft MVP PowerShell Germany

P.S.
If you live in Germany or other parts of Europe and your company would like to set up a truly great PowerShell training, just contact me! I regularly train mid- to large-size companies. Trainings are always a blast with tons of real-world-examples and solutions. Here's how to get in touch with me: tobias.weltner@scriptinternals.de

Dreaming in PowerShell : NTFS

Applying NTFS Permissions

Creating Folders

Apply Permissions

Careful!