Give users access to read non-inherited folder permissions

If you have a Windows folder structure with many non-inherited folders, it may be necessary to give a group of users access to read permissions only, to meet requirements from help desk or staff monitoring compliance. Assuming that you have administrator access to the Windows computer, the Powershell-based recipe below may help you:


  • Download Powershell module NTFSSecurity 
  • Install files in %USERPROFILE%\Documents\WindowsPowershell\Modules\NTFSSecurity
  • Unblock each file in the directory above (Right click --> Properties)
  • Create a domain group to manage users which will have the permissions (GRP-ReadPermissions in our example)
  • Start Powershell as administrator
  • Assign your user privileges to be able to perform operations on all files even if your user don't have access (backup+restore+security)
  • You may consider to log the state before the operation:
Get-ChildItem -Path root-folder  -Dir -Recurse | Get-NTFSAccess -ExcludeInherited > log-file-before.txt

  • Give the group GRP-ReadPermissions ListDirectory and ReadPermission access to all directories with no inheritance:
Get-ChildItem -Path root-folder -Dir -Recurse | Get-NTFSAccess -ExcludeInherited | Add-NTFSAccess -Account GRP-ReadPermissions -AccessRights ListDirectory,ReadPermissions

  • You may consider to log the state after the operation:
Get-ChildItem -Path root-folder -Dir -Recurse | Get-NTFSAccess -ExcludeInherited > log-file-after.txt

  • Revoke the privileges from your account

If you prefer, you can gather the commands above in a script for scheduling.



Release news