Syspirit NTFSSecurity is a PowerShell module that greatly simplifies NTFS permission management, especially bulk permission application on complete directory trees.
📦 Module Installation
💻 Automatic installation
Install-Module NTFSSecurity
Import-Module NTFSSecurity📥 Manual installation
# Check module paths
$env:PSModulePath
# Download from PowerShell Gallery then copy to:
# C:\Windows\System32\WindowsPowerShell\v1.0\Modules
# Then import
Import-Module NTFSSecurity🔍 Viewing Permissions
| 📌 Action | 🧠 NTFSSecurity Command |
|---|---|
| 📋 List folder permissions | Get-NTFSAccess -Path "D:\Accounting" |
| 👁️ Inherited permissions | Get-NTFSAccess -Path "D:\Accounting" -ExcludeInherited |
| 👤 User permissions | Get-NTFSAccess -Path "D:\Accounting" -Account "jsmith" |
| 📊 Folder owner | Get-NTFSOwner -Path "D:\Accounting" |
| 🔍 Recursive audit | Get-ChildItem -Recurse "D:\Accounting" | Get-NTFSAccess |
➕ Adding Permissions
| 📌 Action | 🧠 NTFSSecurity Command |
|---|---|
| ✏️ Add Modify | Add-NTFSAccess -Path "D:\Accounting" -Account "GRP-Accounting" -AccessRights Modify |
| 📖 Add read-only | Add-NTFSAccess -Path "D:\Accounting" -Account "GRP-Interns" -AccessRights Read |
| 👑 Add full control | Add-NTFSAccess -Path "D:\Accounting" -Account "GRP-Management" -AccessRights FullControl |
| 🎯 Selective application | Add-NTFSAccess -Path "D:\Accounting" -Account "jsmith" -AccessRights Write -AppliesTo FilesOnly |
🗑️ Removing Permissions
| 📌 Action | 🧠 NTFSSecurity Command |
|---|---|
| ❌ Remove user | Remove-NTFSAccess -Path "D:\Accounting" -Account "former_employee" |
| 🧹 Clean permissions | Remove-NTFSAccess -Path "D:\Accounting" -Account "GRP-Temp" -AccessRights All |
| 🔒 Disable inheritance | Disable-NTFSAccessInheritance -Path "D:\Accounting" -RemoveInheritedAccessRules |
| ✅ Enable inheritance | Enable-NTFSAccessInheritance -Path "D:\Accounting" |
🛠️ Script Examples
📁 Apply permissions to an entire directory tree
# Configuration variables
$group1 = "COMPANY\GRP-Accounting"
$group2 = "COMPANY\GRP-Management"
$targetPath = "D:\Shares\Accounting"
$logPath = "C:\temp\permissions_$(Get-Date -Format 'yyyyMMdd').log"
# Function to apply permissions
function Set-FolderPermissions {
param (
[string]$Path,
[string[]]$Groups
)
try {
foreach ($group in $Groups) {
Add-NTFSAccess -Path $Path -Account $group -AccessRights Modify -AppliesTo ThisFolderSubfoldersAndFiles
Write-Host "Permissions applied: $group on $Path" -ForegroundColor Green
"$(Get-Date) - SUCCESS: $group -> $Path" | Out-File -Append $logPath
}
} catch {
Write-Host "Error on $Path : $_" -ForegroundColor Red
"$(Get-Date) - ERROR: $Path - $_" | Out-File -Append $logPath
}
}
# Recursive application
Write-Host "Starting permission application..." -ForegroundColor Cyan
Get-ChildItem -Recurse -Path $targetPath -Directory | ForEach-Object {
Set-FolderPermissions -Path $_.FullName -Groups @($group1, $group2)
}
Write-Host "Completed! Log available: $logPath" -ForegroundColor Green🔍 Complete permissions report
# Generate a detailed permissions report
function Get-DetailedPermissionsReport {
param ([string]$Path)
$report = @()
Get-ChildItem -Recurse $Path | ForEach-Object {
$permissions = Get-NTFSAccess -Path $_.FullName
$owner = Get-NTFSOwner -Path $_.FullName
foreach ($perm in $permissions) {
$report += [PSCustomObject]@{
Path = $_.FullName
Type = if($_.PSIsContainer){"Folder"}else{"File"}
Owner = $owner.Owner
Account = $perm.Account
Rights = $perm.AccessRights
Inherited = $perm.IsInherited
}
}
}
return $report
}
# Usage
$reportPath = "C:\temp\permissions_audit_$(Get-Date -Format 'yyyyMMdd').csv"
Get-DetailedPermissionsReport -Path "D:\Accounting" | Export-Csv $reportPath -NoTypeInformation
Write-Host "Report generated: $reportPath"⚠️ Problematic permissions audit
# Find suspicious permissions
function Find-ProblematicPermissions {
param ([string]$BasePath)
$suspicious = @()
Get-ChildItem -Recurse $BasePath | ForEach-Object {
$acl = Get-NTFSAccess -Path $_.FullName
# Find Everyone or Users permissions
$badPerms = $acl | Where-Object {
$_.Account -match "Everyone|Users" -and
$_.AccessRights -match "FullControl|Modify"
}
if ($badPerms) {
$suspicious += [PSCustomObject]@{
Path = $_.FullName
Account = $badPerms.Account
Rights = $badPerms.AccessRights
Risk = "HIGH"
}
}
}
return $suspicious
}
# Usage
Find-ProblematicPermissions -BasePath "D:\Shares" |
Export-Csv "C:\temp\suspicious_permissions.csv" -NoTypeInformation📁 New team share setup
# Create a share with team-based permissions
$sharePath = "D:\Shares\Sales-Team"
$groups = @{
"COMPANY\GRP-Sales" = "Modify"
"COMPANY\GRP-Management" = "FullControl"
"COMPANY\GRP-Interns" = "Read"
}
# Create folder if it doesn't exist
if (!(Test-Path $sharePath)) { New-Item -Path $sharePath -ItemType Directory }
# Apply permissions
foreach ($group in $groups.Keys) {
Add-NTFSAccess -Path $sharePath -Account $group -AccessRights $groups[$group]
Write-Host "$group -> $($groups[$group])"
}🔄 Permission migration/synchronization
# Copy permissions from one folder to another
$sourcePath = "D:\Old\Accounting"
$targetPath = "D:\New\Accounting"
# Get source permissions
$sourcePerms = Get-NTFSAccess -Path $sourcePath
# Apply to new folder
foreach ($perm in $sourcePerms) {
if (-not $perm.IsInherited) { # Ignore inherited permissions
Add-NTFSAccess -Path $targetPath -Account $perm.Account -AccessRights $perm.AccessRights
Write-Host "Copied: $($perm.Account) -> $($perm.AccessRights)"
}
}🚨 Troubleshooting
| 🆘 Problem | 🧠 Solution |
|---|---|
| Module not found | Install-Module NTFSSecurity -Force |
| Insufficient permissions | Run PowerShell as admin |
| ”Access denied” error | Check folder ownership |
| Permissions not applied | Check inheritance with Get-NTFSInheritance |
| Slow script on large volumes | Process in batches with Get-ChildItem -Depth |
💡 Best Practices
- Always test on a small sample before bulk application
- Generate logs for change traceability
- Backup current permissions before major changes
- Use groups rather than individual users
- Check inheritance before disabling it