Submitted by itefix on
If you have a Windows folder structure with many non-inherited folders, it may be necessary to give a group of users access to read permissions only, to meet requirements from help desk or staff monitoring compliance. Assuming that you have administrator access to the Windows computer, the Powershell-based recipe below may help you:
Pre-work:
- Download Powershell module NTFSSecurity
- Install files in %USERPROFILE%\Documents\WindowsPowershell\Modules\NTFSSecurity
- Unblock each file in the directory above (Right click --> Properties)
- Create a domain group to manage users which will have the permissions (GRP-ReadPermissions in our example)
Procedure:
- Start Powershell as administrator
- Assign your user privileges to be able to perform operations on all files even if your user don't have access (backup+restore+security)
Enable-Privileges
- You may consider to log the state before the operation:
Get-ChildItem -Path root-folder -Dir -Recurse | Get-NTFSAccess -ExcludeInherited > log-file-before.txt
- Give the group GRP-ReadPermissions ListDirectory and ReadPermission access to all directories with no inheritance:
Get-ChildItem -Path root-folder -Dir -Recurse | Get-NTFSAccess -ExcludeInherited | Add-NTFSAccess -Account GRP-ReadPermissions -AccessRights ListDirectory,ReadPermissions
- You may consider to log the state after the operation:
Get-ChildItem -Path root-folder -Dir -Recurse | Get-NTFSAccess -ExcludeInherited > log-file-after.txt
- Revoke the privileges from your account
Disable-Privileges
If you prefer, you can gather the commands above in a script for scheduling.