This project is read-only.

NTFSSecurity has moved to GitHub on October 10 2016. There will be no further changes here. 



Managing permissions with PowerShell is only a bit easier than in VBS or the command line as there are no cmdlets for most day-to-day tasks like getting a permission report or adding permission to an item. PowerShell only offers Get-Acl and Set-Acl but everything in between getting and setting the ACL is missing. This module closes the gap.


The cmdlets are yet not documented so Get-Help will just show the syntax. Prodiding documentation is planned tough.

Please send comments, feature requests and bug reports to or create an issue here



Just create the folder "NTFSSecurity" in one of the standard module folders and copy the files attached in there. The standard module folders are in the environment variable %PSModulePath%, for example C:\Users\<username>\Documents\WindowsPowerShell\Modules.
For example, all the files in the zip file have to be in "C:\Users\raandree\Documents\WindowsPowerShell\Modules\NTFSSecurity". If you did this then the module should be listed in "Get-Module -ListAvailable" and can be imported using "Import-Module NTFSSecurity".


The module provides 10 cmdlets to manage permissions on the file system, like adding and removing ACEs, setting the inheritance, getting the current permissions or even get the effective permissions for a certain user.

The available cmdlets are listed below with a short description. More information can be retrieved in the PowerShell using Get-Help.

All cmdlets have at least one parameter that supports the pipeline. They all can work with pipeline input coming from Get-ChildItem but some do more with what comes form the pipeline.

The name / SID translation is done by the Security2 class.


  • 4.2.1
    • Added the cmdlets Get-NTFSHardLink, New-NTFSHardLink, New-NTFSSymbolicLink
  •  4.2
    • Added cmdlets Move-Item2 and Copy-Item2
    • Remove-Item2, Move-Item2 and Copy-Item2 now support the WhatIf and Confirm
  • 4.1
    • The Attributes parameter for Get-ChildItem2 works the same like he one on the standard cmdlets Get-ChildItem as requested
    • Remoce-NTFSAccess can no remove access from existing Access Control Entries. The old behaviour is still available using the -RemoveSpecific switch parameter
  • 4.0
    • The NTFSAccess cmdlets can now work on Security descriptors to allow bulk processes
    • Code cleanup for better performance and maintainability
    • Bug Fixes
  •  3.2.3
    • Fixed a bug in GetInheritedFrom that resulted in "Invalid Path" or "Path not found" errors
  • 3.2
    • Bugfixing managing auditing
    • Fixed various Bugs reported on CodePlex
  • 3.1
    • All cmdlets have the prefix NTFS now. There are aliases for backward compatibility
    • The new version of Get-NTFSEffectivePermission uses AuthzAccessCheck instead of GetEffectiveRightsFromAcl
      • Previous Get-NTFSEffectivePermission cmdlet has been renamed to Get-NTFSEffectivePermissionOld
    • Added FileSystemAuditRule2 to the PowerShell formatters
    • Added InheritedFrom information to FileSystemAuditRule2
  • 3.0
    • This version leverages the AlphaFS ( to work around the MAX_PATH limitation of 260 characters
      • This requires new *-Item commands to be able to discover items with a log path
        • GetChildItem2 (dir2)
        • Get-Item2 (gi2)
        • Remove-Item2 (del2, rm2)
    • For inherited ACEs the InheritedFrom is displayed
    • Generic access rights are supported
    • Performance Improvements
    • Bug Fixes
  • 2.4
    • Remove-Access did not remove Deny ACEs when using the pipeline (for example: Import-Csv .\access.txt | Remove-Access)
    • Add-Access did not remove Deny ACEs when using the pipeline (for example: Import-Csv .\access.txt | Add-Access)
    • The parameter Account was undiscoverable when using the pipeline
  • 2.3
    • The module now makes full use of the Backup, Restore privilege and TakeOwnership so as an administrator you can edit permissions on objects that you do not have explicitly access to. Privileges are enabled by default if the value 'EnablePrivileges' is true in the NTFSSecurity.psd1. The new cmdlets Get, Disable and Enable-Privileges are for manual control.
    • The Path parameter now works consistently
  • 2.1
    • Fixed bugs with Set-Owner
    • Added support for also managing auditing (SACL)
  • 2.0 Beta
    • A bunch of new commands: Get-SimpleAccess, Get-SimpleEffectiveAccess, Show-SimpleAccess, Show-SimpleEffectiveAccess, Copy-Access
    • All cmdlets are now written in C#
    • Fixed a number of bugs
  • 1.3
    • Fixed an issue with parameter handling
    • Now works with PowerShell V3
  • 1.2
    • Fixed some issues with path validation
    • Fixed documentation bugs
  • 1.1
    • Fixed the issue with square brackets in paths
    • Performance improvements
  • 1.0
    • Last tests did not reveal any issue. PowerShell has a problem handling files that have square brackets in the file name. Therefore this module inherits the issue.
  • 0.9 (Beta)
    • Fixed some bugs
    • Updated documentation
  • 0.8 (Beta)
    • Initial Release

Last edited Oct 10, 2016 at 1:14 PM by raandree, version 10