Add a condition to directory NTFS permission using powershell RRS feed

  • Question

  • I want to use PowerShell to add a condition to a folder's NTFS permission. Is this possible with PowerShell?

    I googled, but could not find anything. I've no problem creating a script to add or remove rules from folder ACL.

    Tuesday, June 18, 2019 10:21 AM


All replies

  • Please try to ask a clear question.  What do you mean by a "condition"?

    How to ask questions in a technical forum


    Tuesday, June 18, 2019 10:53 AM
  • Sorry, I though I was clear, In Windows Server 2012 and newer you can add a condition to a folder permission.

    the following isa sample conventional PowerShell code:

    function AssignArchivePermissions($path){
        $acl = (get-item $path ).GetAccessControl('Access')
        $aclst = $acl.Access
        foreach($identity in  $aclst.IdentityReference){
             if($identity.Value -eq "domainn\$DenyGroup"){
                $oldrule = New-Object System.Security.AccessControl.FileSystemAccessRule("domainname\$DenyGroup", $aclst.FileSystemRights,$aclst.InheritanceFlags,$aclst.PropagationFlags,$aclst.AccessControlType)
                 write-host "`n`r`n`r Removing $DenyGroup from $path ACL...`n`r"
            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("CIRCLEPdomainn\$NTGroup",$FileSystemRights,$InheritanceFlags,$PropagationFlags,$AccessControlType)
            write-host "`n`r`n`r Adding $NTGroup to $path ACL...`n`r"
            Set-Acl -Path $path -AclObject $acl

    Tuesday, June 18, 2019 11:46 AM
  • I want to add an image to show you what I mean about adding a condition, but the site keeps telling me it has to verify my account. I verified my email address already.
    Tuesday, June 18, 2019 11:48 AM
  • What is a "condition"?  It is not a term used for NTFS permissions.

    You are copying code and asking a question about code that you do not seem to understand.  We cannot modify code for you.  We can only answer questions about code you have written.

    Please read the following article.

    How to ask questions in a technical forum


    Tuesday, June 18, 2019 11:52 AM
  • Sorry, but that is a code I've written.

    I would like to clarify what I mean by adding a condition by posting an image, but the site keeps telling me it has to verify my account.

    Tuesday, June 18, 2019 12:03 PM
  • If you can't explain what "condition" you are talking about then there is no way to answer your question.


    Tuesday, June 18, 2019 12:15 PM
  • My apologies for not being clear.

    When you open the folder properties, click the Security tab, click on the Advanced button,
    On the Advanced Security settings click on Add. On the bottom you can Add a condition to limit access to the folder. I was wondering if you you could script this in PowerShell.

    Tuesday, June 18, 2019 12:30 PM
  • The code you posted does exactly what you describe.  It is not a condition it is a rule called an  ACE. 

    I think you didn't write the code but copied it and tried to edit it.

    You still have not explained what you are trying to do (or add).  Please read the link I posted and try to ask a clear question.

    Note that this forum is not for end users.  It is assumed that you are technically trained in Windows and the technology you are trying to use.  The technology here is NTFS and it is the "security" of the NTFS objects that you need to research.  Without an understanding of the technology you will not be able to ask a question that makes much sense.


    Tuesday, June 18, 2019 12:35 PM
  • This guy is asking the same question:

    My guess is this is new to you too, that's why you don't understand my question. \_(ツ)_/

    But Ok, I'll look somewhere else.

    Tuesday, June 18, 2019 12:55 PM
  • You have to say what condition you want to add.  Do you know what condition you want?

    Are you asking how to add a "conditional" entry in sever 2016?  All of your posts fail to say what it is you are trying to do.  The term is not "condition" it is "conditional permission" and is only available with DAC (Dynamic Access Control).

    Here is an article that will help you to understand this:

    Currently there are no CmdLets that can do this but it can be done by editing the SDDL.

    The term for the expressions is CAPS.

    Here is another article describing how this is done via Group Policy:


    • Marked as answer by ASulba Tuesday, June 18, 2019 1:16 PM
    Tuesday, June 18, 2019 1:14 PM
  • Thank you jrv!
    Tuesday, June 18, 2019 1:16 PM