File Folder Marked Read Only Attribute Won't Disable

Many organizations with a Microsoft Windows environment rely on NTFS as the main file system for their storage devices that contain sensitive data. It is the easiest fashion for users to work with files. In order to implement a least-privilege model, which is a best practice for system security, IT security specialists and system administrators configure NTFS admission control lists (ACLs) past adding access command entries (ACEs) on NTFS file servers.

NTFS Permissions Types for Files and Folders

There are both basic and advanced NTFS permissions. You can set each of the permissions to "Permit" or "Deny". Hither are the bones permissions:

• Total Control: Users tin change, add together, movement and delete files and directories, likewise equally their associated backdrop. In addition, users can alter permissions settings for all files and subdirectories.
• Modify: Users can view and modify files and file properties, including deleting and adding files to a directory or file backdrop to a file.
• Read & Execute: Users can run executable files, including script
• Read: Users can view files, file properties and directories.
• Write: Users can write to a file and add together files to directories.

Here is the list of advanced permissions:

• Traverse Binder/Execute File: Users tin navigate through folders to reach other files or folders, even if they have no permissions for these files or folders. Users can also run executable files. The Traverse Folder permission takes effect only when the group or user doesn't take the "Bypass Traverse Checking" correct in the Group Policy snap-in.
• List Folder/Read Information: Users tin can view a list of files and subfolders within the folder as well as the content of the files.
• Read Attributes: Users tin view the attributes of a file or folder, such as whether it is read-but or hidden.
• Write Attributes: Users can change the attributes of a file or folder.
• Read Extended Attributes: Users tin can view the extended attributes of a file or folder, such as permissions and creation and modification times.
• Write Extended Attributes: Users can change the extended attributes of a file or folder.
• Create Files/Write Data: The "Create Files" permission allows users to create files inside the binder. (This permission applies to folders only.) The "Write Data" permission allows users to make changes to the file and overwrite existing content. (This permission applies to files only.)
• Create Folders/Suspend Data: The "Create Folders" permission allows users to create folders within a folder. (This permission applies to folders only.) The "Suspend Data" permission allows users to make changes to the end of the file, but they tin't change, delete or overwrite existing data. (This permission applies to files simply.)
• Delete: Users tin can delete the file or folder. (If users don't have the "Delete" permission on a file or folder, they can notwithstanding delete it if they have the "Delete Subfolders And Files" permission on the parent binder.)
• Read Permissions: Users can read the permissions of a file or folder, such equally "Total Command", "Read", and "Write".
• Change Permissions: Users can change the permissions of a file or folder.
• Take Buying: Users tin take ownership of the file or binder. The owner of a file or binder tin always alter permissions on information technology, regardless of any existing permissions that protect the file or folder.
• Synchronize: Users tin can apply the object for synchronization. This enables a thread to wait until the object is in the signaled state. This correct is not presented in ACL Editor. You can read more about information technology here.

You can observe all these user permissions past running the post-obit PowerShell script:

[organisation.enum]::getnames([System.Security.AccessControl.FileSystemRights])

NTFS permissions tin can exist either explicit or inherited. Explicit permissions are permissions that are configured individually, while inherited permissions are inherited from the parent folder. The hierarchy for permissions is as follows:

• Explicit Deny
• Explicit Allow
• Inherited Deny
• Inherited Let

Now that nosotros know NTFS permissions are, let'southward explore how to manage them.

Get ACL for Files and Folders

The showtime PowerShell cmdlet used to manage file and binder permissions is "become-acl"; it lists all object permissions. For case, allow's get the list of all permissions for the binder with the object path "\\fs1\shared\sales":

get-acl \\fs1\shared\sales | fl

If yous desire to get a total NTFS permissions study via PowerShell, you lot can follow this easy how-to about exporting NTFS permissions to CSV.

Copy File and Binder Permissions

To copy permissions, a user must own both the source and target folders. The post-obit command will re-create the permissions from the "Accounting" folder to the "Sales" folder:

become-acl \\fs1\shared\accounting | Set-Acl \\fs1\shared\sales

As nosotros tin see from the output of the "get-acl" commands before and subsequently the permissions re-create, the "Sales" shared folder permissions take been inverse.

Set File and Folder Permissions

The PowerShell "set-acl" cmdlet is used to alter the security descriptor of a specified item, such every bit a file, folder or a registry key; in other words, it is used to modify file or folder permissions. The following script sets the "FullControl" permission to "Allow" for the user "ENTERPRISE\T.Simpson" to the binder "Sales":

$acl = Get-Acl \\fs1\shared\sales  $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\T.Simpson","FullControl","Let")  $acl.SetAccessRule($AccessRule)  $acl | Set-Acl \\fs1\shared\sales

If you desire to set other permissions to users or security groups, choose them from the table below:

There are besides permissions sets of bones access rights that can exist applied:

Remove User Permissions

To remove a permission, apply the "RemoveAccessRule" parameter. Let's delete the "Allow FullControl" permission for T.Simpson to the "Sales" folder:

$acl = Get-Acl \\fs1\shared\sales  $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\T.Simpson","FullControl","Allow")  $acl.RemoveAccessRule($AccessRule)  $acl | Ready-Acl \\fs1\shared\sales

Notice that T.Simpson still has the "Deny FullControl" permission. To remove information technology, permit's utilise the command "PurgeAccessRules", which will completely wipe T.Simpson's permissions to the "Sales" folder:

$acl = Get-Acl \\fs1\shared\sales  $usersid = New-Object System.Security.Principal.Ntaccount ("ENTERPRISE\T.Simpson")  $acl.PurgeAccessRules($usersid)  $acl | Set-Acl \\fs1\shared\sales

Note that "PurgeAccessRules" doesn't work with a cord user name; it works only with SIDs. Therefore, we used the "Ntaccount" class to catechumen the user business relationship proper name from a string into a SID. Likewise note that "PurgeAccessRules" works but with explicit permissions; information technology does not purge inherited ones.

Disable or Enable Permissions Inheritance

To manage inheritance, we use the "SetAccessRuleProtection" method. It has two parameters:

• The first parameter is responsible for blocking inheritance from the parent binder. Information technology has two states: "$true" and "$fake".
• The second parameter determines whether the current inherited permissions are retained or removed. It has the aforementioned 2 states: "$truthful" and "$false".

Let's disable inheritance for the "Sales" binder and delete all inherited permissions besides:

$acl = Become-Acl \\fs1\shared\sales  $acl.SetAccessRuleProtection($true,$faux)  $acl | Fix-Acl \\fs1\shared\sales

Now we have merely i access permission left (because it was added explicitly); all inherited permissions were removed.

Let's revert this change and enable inheritance for the folder "Sales" again:

$acl = Become-Acl \\fs1\shared\sales  $acl.SetAccessRuleProtection($fake,$true)  $acl | Set-Acl \\fs1\shared\sales

Change File and Folder Ownership

If you want to set an owner for a folder, you need to run the "SetOwner" method. Let'southward make "ENTERPRISE\J.Carter" the owner of the "Sales" binder:

$acl = Get-Acl \\fs1\shared\sales  $object = New-Object System.Security.Chief.Ntaccount("ENTERPRISE\J.Carter")  $acl.SetOwner($object)  $acl | Set-Acl \\fs1\shared\sales

Notice that we once more used the "Ntaccount" class to convert the user account name from a string into a SID.

Annotation that the "SetOwner" method does not enable you lot to modify the possessor to any account yous want; the business relationship must accept the "Take Ownership", "Read" and "Change Permissions" rights.

Every bit you tin can see, information technology is very easy to manage NTFS permissions with PowerShell. But don't forget to audit NTFS permissions as well — it's critical for security to track all changes fabricated to your file servers in gild to reduce data leakage and combat the insider threat and other Information technology security risks. Here is a basic guide on how to audit NTFS permissions with PowerShell.

Jeff is a former Director of Global Solutions Engineering at Netwrix. He is a long-fourth dimension Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that tin can dramatically better your system administration feel.

cochraneponjuseme.blogspot.com

Source: https://blog.netwrix.com/2018/04/18/how-to-manage-file-system-acls-with-powershell-scripts/

Share this post