This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 12%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi all,
we need to add the group local\admin1 to over 100 folders UNC path like \server1\root1 \server2\root2 and propagated to subfolders and files under these folders. Can anyone help with PowerShell script?
Thank you for your help.
You have to CD to the folder where you saved the script or add the full path to it.
I have updated the code to generate icacls commands to grant access for whatever account you wish. You would need to redirect the output to a file and then execute the commands after you verify that they will make the correct changes. I also added a depth switch.
.\FindUnInheritedPerms.ps1 -target c:\temp -grant "BUILTIN\Administrators:(OI)(CI)(F)" -depth 1
<#
.SYNOPSIS
This is a simple Powershell script to analyze a given folder structure and look to see what files/folder have uninherited ACL's
.DESCRIPTION
Find files/folder where admins/owners have been tweaking security permissions.
This script accepts these parameters.
-target The path to the folder to be analyzed.
-all If true, analyze files in addition to folders.
-depth How many subfolders to analyze
-grant Generate icacls /grant command for each folder which does not inherit any permissions.
.EXAMPLE
./FindUnInheritedPerms.ps1 -target c:\temp -all $true
./FindUnInheritedPerms.ps1 -target c:\temp
./FindUnInheritedPerms.ps1 -target c:\temp -depth 2 /grant "BUILTIN\Administrators:(OI)(CI)(F)"
.NOTES
.LINK
http://www.google.com
Author: MotoX80 on Microsoft Q&A Forums
#>
param (
[string]$target = '', # analyze this folder
[boolean]$all = $false, # include files
[string]$grant = '', # generate icacls commands
[string]$depth = '9999999' # folder depth to analyze
)
if ($target -eq '') {
"Please specify a target folder to analyze."
return
}
if ($grant -eq '') {
"Base permissions on $target"
Get-Acl -Path $target | select-object -ExpandProperty access | format-table -Property IdentityReference, AccessControlType, FileSystemRights, IsInherited
}
if ($all) {
$folders = Get-ChildItem -Path $target -depth $depth -recurse
} else {
$folders = Get-ChildItem -Path $target -Directory -depth $depth -recurse
}
foreach ($folder in $folders) {
$acls = Get-Acl -Path $folder.FullName
if ($acls.AreAccessRulesProtected -eq $true) { # we found a folder that does not inherit permissions.
if ($grant -eq '') {
$folder.FullName # This one
$acls | select-object -ExpandProperty access | format-table -Property IdentityReference, AccessControlType, FileSystemRights, IsInherited
} else {
'icacls "{0}" /grant "{1}"' -f $folder.FullName, $grant
}
}
else {
# look for additional acls that were added to the ones inherit3ed from parent folder.
$unique = $acls | select-object -ExpandProperty access | where-Object -property IsInherited -eq $false
if (($unique -ne $null) -and ($grant -eq '')) {
"*{0} (In addition to inherited perms)" -f $folder.FullName # This one
$unique | format-table -Property IdentityReference, AccessControlType, FileSystemRights, IsInherited
}
}
}
great! I am going to test and keep you updated. Thanks a lot
Here is some update:
when you test .\FindUnInheritedPerms.ps1 -target c:\temp -grant "BUILTIN\Administrators:(OI)(CI)(F)" -depth 1, did you see the folders' permissions added? I tested several folders with local or domain account (domain\user) or group and did not see permissions added. any idea?
The depth works great. Thank you for your time and help!
Hi MotoX80,
Sorry to reach you again on this
When I use ./FindUnInheritedPerms.ps1 -target \\server\share1 -depth 1 /grant "domain\group1:(OI)(CI)(F)", the domain\group1 is not added to security of the folders(not inherited) in \\server\share1. Can you think what would cause this? If it works, it will be a life saving solution.
Thank you!
As I noted it my reply, I just generate the icacls commands. You need to capture them and execute them.
I did that mainly as a safety feature so that you could review the commands before running them, since this should only be a onetime event. If this were something that you need to execute on a regular basis, then you could modify the script to just go ahead and run the icacls program.
Did you run the icacls commands? Did it generate an error?
Hi MotoX80,
Thank you for your continuing help and really appreciate it. Got your point. yes. icacls runs fine from the capture result.
thanks again!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Do you need to actually propagate the permissions? Normally you just set the permissions on the highest level and let it inherit (which it does by default). So you'd set the permission on the root portion of the path (wherever that may be) and then subfolders and files automatically inherit the permission. If you really need to propagate the permissions then that can be done but it'll take a while for Windows to actually update all the child folders and files. The preference is to use inheritance since it is faster and easier to change.
To set a new permission using Powershell you'll need to create the ACE with the group and required permissions, then get the existing ACL from the folder, add the ACE to it and then save it back. The code is a little long but not difficult. Here's a link to a blog article that provides the exact code you need. A summary is provided here for your reference but refer to the article for more information.
# Create the new ACE
$identity = 'domain\group'
$rights = 'FullControl'
$type = 'Allow'
# Folders and files inherit this permission, no need to propagate because it will be inherited
$inheritance = 'ContainerInherit, ObjectInherit'
$propagate = 'None'
$ace = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rights, $inheritance, $propagate, $type)
# Apply to existing file system object
$acl = Get-Acl -Path 'YourPath'
$acl.AddAccessRule($ace)
Set-Acl -Path 'YourPath' -AclObject $acl
right now, we did manually propagate permissions from Windows, it takes time
as folders permissions are set differently at folders or subfolders, inheritance is not enabled.
the above script still valid for my case?
Thank you!
inheritance is not enabled.
So you will first need to identify folders that do not inherit permissions from their parent folder so that you can apply the desired access to those subfolders.
the above script still valid for my case?
Yes, it will apply permissions to a folder but as I indicated, you need to figure out which folders to run it against.
I have attached a script that I named FindUninheritedPerms.ps1. (Saved as a .txt file.) It will analyze the permissions on a folder structure and report on what subfolders do not inherit their parent folder permissions or have explicit permissions in addition to the inherited ones.
So basically, you will need to merge the two scripts to identify the folders that need to be updated, and then apply the additional permissions.
I strongly recommend that you test your updated script on a test folder structure and verify that the permissions are set correctly before you run it against your "100 folders".
HI MotoX80, thanks for taking your time to help. Sorry and this has been a while. If I just need to find any folders which inheritance is disabled under \server\shares UNC path (like \server\shares\folder1 , \server\shares\folder2...)(not subfolders and files after \server\shares\folder1) . Can you share how to change from your script? Thanks a lot.
Well if you look at the script you will see that it accepts a -Target switch. Did you try that?
MotoX80, thank you for taking time to help. I tried ./FindUnInheritedPerms.ps1 -target c:\temp and still shows "
FindUnInheritedPerms.ps1 : The term 'FindUnInheritedPerms.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again" . Also, the path I need to check is \server\shares and the first level under \server\shares (not all folders, only the first level \server\shares\folder1 , \server\shares\folder2..) due to limited script knowledge, Can you share how to get the script to work on my case?
Thank you for your continuing help.
You have use -grant, not /grant. I will update the script as the examples are wrong.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
If you are planning to propagate permissions there are a number of ways that PowerShell makes this process easier.
Listing file and folder permissions
Adding file and folder permissions
Removing file and folder permissions
Modify file and folder ownership
Enable or disable folder inheritance
This before script is one such example.
$Folder = 'F:\'
$ACL = Get-Acl $Folder
$ACL_Rule = new-object System.Security.AccessControl.FileSystemAccessRule ('Tree', "ReadAndExecute",”ContainerInherit,ObjectInherit”,”None”,”Allow”)
$ACL.SetAccessRule($ACL_Rule)
Set-Acl -Path $Folder -AclObject $ACL
To modify the inheritance properties of an object, we have to use the SetAccessRuleProtection method
$ACL = Get-Acl -Path "Folder1"
$ACL.SetAccessRuleProtection($true,$false)
$ACL | Set-Acl -Path "Folder1"
--If the reply is helpful, please Upvote and Accept it as an answer--