Give access to folder, its subfolders and all files to a user/group in Windows

Welcome Forums General PowerShell Q&A Give access to folder, its subfolders and all files to a user/group in Windows

Viewing 4 reply threads
  • Author
    • #193907
      Topics: 8
      Replies: 16
      Points: 16
      Rank: Member


      I need to give read/execute and modify permissions to a user or group on a folder like:


      and include all of its subfolders and files.

      I need to do it using Powershell script.

      Any ideas?


    • #193922
      Topics: 0
      Replies: 28
      Points: 144
      Helping Hand
      Rank: Participant

      Below script block will give you an idea. Replace the necessory values and also if your subfolder are set to inherit the permission, you don’t need to set the same to subfoders.

      $folder = ‘F:\Data\MSSQL\MSSQL11.MyInst’
      $ACL = Get-Acl $folder
      $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”,”Fullcontrol”,”Allow”)
      Set-Acl $folder $AccessRule
    • #193931
      Topics: 8
      Replies: 16
      Points: 16
      Rank: Member

      Did not work:

      PS D:\MyFolder>
      PS D:\MyFolder> $folder = ‘E:\Folder1’
      PS D:\MyFolder> $ACL = Get-Acl $folder
      PS D:\MyFolder> $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators
      PS D:\MyFolder> $ACL.SetAccessRule($AccessRule)
      PS D:\MyFolder> Set-Acl $folder $AccessRule
      Set-Acl : AclObject
      At line:1 char:1
      + Set-Acl $folder $AccessRule
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidArgument: (System.Security…ystemAccessRule:FileSystemAccessRule) [Set-Acl], Arg
      + FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand

    • #193949
      Topics: 5
      Replies: 106
      Points: 273
      Helping Hand
      Rank: Contributor

      I’ve used something similar to this in my functions.

      $FolderPath = “E:\Folder1”
      $Group = “users”
      $Acl = Get-Acl $FolderPath
      $AccessRule = New-Object$Group,”Modify”,”ContainerInherit,ObjectInherit”,”None”,”Allow”)
      Set-Acl -Path $FolderPath -AclObject $Acl -confirm:$false -Passthru

      New Access rule looks like this:

      FileSystemRights : Modify, Synchronize
      AccessControlType : Allow
      IdentityReference : users
      IsInherited : False
      InheritanceFlags : ContainerInherit, ObjectInherit
      PropagationFlags : None



    • #194000
      Topics: 12
      Replies: 37
      Points: 256
      Helping Hand
      Rank: Contributor

      Here’s a function I wrote a lifetime ago, it should do what you’re after:

      Function Change-ACL
      This function will add or remove an ACE to the ACL for a directory.

      This function will add or remov e an ACE to the ACL for a directory.

      .PARAMETER Directory
      This is the directory you will add/remove an ACE for.

      .PARAMETER UserNames
      These are the UserNames of the user(s) you want to change permissions for.

      .PARAMETER AccessLevel
      This is the level of accesss you want to grant for the user(s). If you are removing perissions, all inherited levels are removed

      .PARAMETER Add
      This switch specifies whether to add the permissions specified in the AccessLevel Parameter

      .PARAMETER Remove
      This switch specifies whether to remove the user's permissions



      Version: 1.2
      Author: Lars Panzerbjrn
      Creation Date: 2017.11.01
      Purpose/Change: Initial script development
      Changed 2019.02.25 LP: Changed function to also Remove permissions; implemented Parameter Sets

      Change-ACL -Directory "\\lonfs1\InfServices\Sec\SecOps" -UserNames Panzerbjrn_L_a -AccessLevel Write -Add

      This will give the user Panzerbjrn_L_a access to write to the directory.

      Change-ACL -Directory "\\lonfs1\InfServices\Sec\SecOps" -UserNames Panzerbjrn_L_a -Remove

      This will remove the user Panzerbjrn_L_a from the ACL for the directory.




      $Path = $Directory
      $TestedPath = Test-Path $Path
      IF($TestedPath -eq $False) {Write-Verbose "$($Path) Doesn't exist; thank you please come again";break}
      $ACL = (Get-Item $Path).GetAccessControl('Access')

      ForEach ($UserName in $UserNames)
      $USR = Get-ADUser -Filter {SamAccountName -like $UserName} -Properties *
      $Usrname = "BDS\"+$USR.SamaccountName
      $Inherit = []"ContainerInherit, ObjectInherit"
      $Propagation = []"None"
      $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Usrname, $AccessLevel, $Inherit, $Propagation, "Allow")
      IF(($Add) -OR ($Remove)) {Set-Acl -path $Path -AclObject $Acl}
      ELSE {Write-Verbose "No Add or Remove action was specified"}

      BUT, do your self a huge favour, and use groups to delegate access, *not* direct access by adding users to the ACL for folders/files/drives…

Viewing 4 reply threads
  • The topic ‘Give access to folder, its subfolders and all files to a user/group in Windows’ is closed to new replies.