Give users read access to non-inherited folder permissions

1 min read

If you have a Windows folder structure with many non-inherited folders, it may be necessary to give a group of users access to read permissions only, to meet requirements from help desk or staff monitoring compliance. Assuming that you have administrator access to the Windows computer, the Powershell-based recipe below may help you:

Pre-work:

  • Download Powershell module NTFSSecurity
  • Install files in %USERPROFILE%\Documents\WindowsPowershell\Modules\NTFSSecurity
  • Unblock each file in the directory above (Right click --> Properties)
  • Create a domain group to manage users which will have the permissions (GRP-ReadPermissions in our example)

Procedure:

  • Start Powershell as administrator
  • Assign your user privileges to be able to perform operations on all files even if your user don't have access (backup+restore+security)
Enable-Privileges
  • You may consider to log the state before the operation:
Get-ChildItem -Path  _root-folder_ -Dir -Recurse | Get-NTFSAccess -ExcludeInherited > _log-file-before.txt_
  • Give the group GRP-ReadPermissions ListDirectory and ReadPermission access to all directories with no inheritance:
Get-ChildItem -Path  _root-folder_  -Dir -Recurse | Get-NTFSAccess -ExcludeInherited | Add-NTFSAccess -Account  _GRP-ReadPermissions_  -AccessRights ListDirectory,ReadPermissions
  • You may consider to log the state after the operation:
Get-ChildItem -Path  _root-folder_  -Dir -Recurse | Get-NTFSAccess -ExcludeInherited >  _log-file-after.txt_
  • Revoke the privileges from your account
Disable-Privileges

If you prefer, you can gather the commands above in a script for scheduling.