Listing folders with different permissions from parents RRS feed

  • Question

  • Hi All,

    I had a quick look, and apologise if I have missed an existing post (I figure I can't possibly be the first person to ask this)...

    I have a motley mess of network shares and folders where the previous IT crew stupidly nested permissions a few tiers deep into the folders and mapped directly to them... manually.

    This means that there are a lot of folders with different permissions from the parents that need to be retrieved and put at the root of the share. The problem is I can't determine which folders they are without checking the permissions.

    I tried a script which provided me with a list of all folders where inheritance is disabled but then found that the inheritance being disabled doesn't mean anything because "additional" permissions can be added without inheritance being turned off.

    So, I started a script that would list all the subfolders and compare the ACL's of each subfolder to the parent folder. but I am stuck, for some reason, the ACLs of the subfolders appear blank?

    Can anyone perhaps give me a pointer as to what I am doing wrong? 


    $ParentFolder = "c:\temp"
    $ParentACL = get-acl -path $ParentFolder
    $SubFolders = get-childitem -path $ParentFolder -directory -recurse
    foreach ($folder in $SubFolders) {
      $subfolder = $folder.FullName
      $folderacl = get-acl -path "$subfolder"
      compare-object $ParentACL $folderacl

    Wednesday, February 20, 2019 5:35 AM

All replies

  • Subfolders inheriting may have blank ACLs.  This is normal.  I recommend that you first learnhow NTFS security works in detail before setting of on this quest.

    A simple first step is to secure the target folder.  You can do this by numerous means.  The easiest fist step is to collect all sahres and root folder paths then extract the root folder definition and query the folder for its permissions.  Make adjustments after obtaining this report and determining what permissions the share root should be.

    Start by running this against all systems.

    Get-WmiObject win32_share -Filter 'Type=0 AND NOT Name LIKE "%$"' -Computer $computerList|
         select PsComputerName, Name, Path,Type |
    Export-CSv shares.csv

    After you learn how to best assign permissions to folders you can then add the perms to a column in the CSV and use that to apply the required permissions.  We cannot help you decide on the permissions required or teach you how to do this.


    Wednesday, February 20, 2019 6:18 AM
  • This is how to get all permissions on all subfolders within a solder.

    get-childitem d:\Test -directory -recurse -PipelineVariable fldr |
        Get-Acl | 
        Select-Object -ExpandProperty Access | 
        Select-Object @{ n = 'Folder'; e = { $fldr.fullname } }, *

    You cannot use Compare-Object on ACL objects.  It will give you nonsense because you have nothing to compare with that matches any requirements.

    Also note that there are many third party tools that make this easy and can manage and report on share deployment and security.


    Wednesday, February 20, 2019 6:29 AM
  • You can more easily compare SDDL strings.

    Get-ChildItem d:\Test -directory -recurse -PipelineVariable fldr |
        Get-Acl | 
        Select-Object @{ n = 'Folder'; e = { $fldr.fullname } }, SDDL

    You can also reset security with SDDL strings after you create them or copy from a known folder.


    Wednesday, February 20, 2019 6:33 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,


    Just do it.

    Monday, February 25, 2019 7:31 AM