{"id":302,"date":"2014-11-23T00:01:00","date_gmt":"2014-11-23T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/11\/23\/weekend-scripter-manage-ntfs-inheritance-and-use-privileges\/"},"modified":"2019-02-18T10:36:59","modified_gmt":"2019-02-18T17:36:59","slug":"weekend-scripter-manage-ntfs-inheritance-and-use-privileges","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-manage-ntfs-inheritance-and-use-privileges\/","title":{"rendered":"Weekend Scripter: Manage NTFS Inheritance and Use Privileges"},"content":{"rendered":"

Summary<\/b>: Microsoft PFE, Raimund Andree, talks about using Windows PowerShell to disable inheritance on folders.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Today Raimund Andree, talks about using Windows PowerShell to disable inheritance on folders. Take it away, Raimund…<\/p>\n

In my previous post, Use PowerShell to Get, Add, and Remove NTFS Permissions<\/a>, I talked about NTFS inheritance. Inheritance is a fundamental feature of NTFS to keep permissions consistent and easy to manage.<\/p>\n

However, there are some scenarios where you want to disable inheritance on folders or find out where it has been disabled. This post explains how this can be achieved by using the NTFSSecurity module.<\/p>\n

Determine inheritance settings<\/h2>\n

To determine if a file or folder inherits from its parent, use the Get-NTFSAccessInheritance<\/b> cmdlet (there is also a Get-NTFSAuditInheritance <\/b>cmdlet). There are two ways to specify the file or folder: You can use the Path<\/b> parameter or pipe the file or folder object to Get-NTFSAccessInheritance<\/b>:<\/p>\n

Get-NTFSAccessInheritance -Path C:\\Windows<\/p>\n

Get-Item C:\\Windows | Get-Inheritance<\/p>\n

The output might look like this:<\/p>\n

\"Image<\/a><\/p>\n

You can easily get the information for a bunch of items by using the built-in Get-ChildItem<\/b> cmdlet, and then pipe all the items to Get-NTFSAccessInheritance<\/b>:<\/p>\n

Get-ChildItem c:\\ | Get-NTFSAccessInheritance<\/p>\n

\"Image<\/a><\/p>\n

Enabling inheritance<\/h2>\n

The cmdlet for enabling the inheritance on an object is similar to reading the inheritance information:<\/p>\n

Enable-NTFSAccessInheritance -Path .\\Data<\/p>\n

By default, the cmdlet does not return any output unless you use the <\/span>PassThru<\/b> switch.<\/span><\/p>\n

The cmdlet provides one additional switch parameter: RemoveExplicitAccessRules<\/b>. When specified, all explicitly assigned access control entries (ACEs) will be removed after enabling the inheritance. This is like setting the folder back to default permissions.<\/p>\n

\"Image<\/a><\/p>\n

The previous output shows that there were only explicitly assigned ACEs in the Data folder. These were removed after enabling the inheritance and there are only inherited ACEs remaining.<\/p>\n

Note<\/b>  The RemoveExplicitAccessRules<\/b> switch should be used with care. Using this switch by accident can cause users to not be able to access their resources.<\/p>\n

A common use case for Enable-NTFSAccessInheritance<\/h3>\n

If users can alter the ACL of files or folders, they might remove relevant ACEs. The result is that the administrators are no longer able to access the data. Another reason why an administrator cannot access data is that someone has disabled the inheritance and deleted all inherited ACEs.<\/p>\n

First you need to use the recursive method provided by Get-ChildItem<\/b> to get all files and folders and filter out the items where inheritance is enabled.The remaining items are piped to Enable-NTFSAccessInheritance<\/b>, which informs about items where inheritance is enabled with the PassThru<\/b> switch.<\/p>\n

Get-ChildItem -Recurse | Get-NTFSAccessInheritance | Where-Object { -not $_.InheritanceEnabled } |
Enable-NTFSAccessInheritance -PassThru<\/p>\n

\"Image<\/a><\/p>\n

Disabling inheritance<\/h2>\n

In NTFSSecurity, you also need to disable inheritance. When enabling inheritance you have to determine what to do with explicit ACES (usually you keep them). When disabling inheritance, the inherited ACEs can be converted into explicit ones or they can be removed. This is controlled by the RemoveInheritedAccessRules<\/b> switch.<\/p>\n

In the following example, the inheritance for the folder GPO is enabled. The folder is inheriting four ACEs from the parent (drive D). After disabling inheritance, the ACEs still exist as explicit ACEs.<\/p>\n

\"Image<\/a><\/p>\n

Note<\/b>  When using the RemoveInheritedAccessRules<\/b> switch, you need to make sure that the access is guaranteed after disabling the inheritance. If an item does not have explicit ACEs assigned and you remove all inherited ACEs, nobody will be able to access the file. However, an administrator can always use the back-up privilege or take ownership to get access again.<\/p>\n

Using privileges<\/h2>\n

Note <\/b> There was a big change in Windows 8 and Windows Server 2012 regarding how privileges can be used. The features described in this section work only on Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012.<\/p>\n

Sometimes permissions are hosed and access is denied, even if you are the mighty administrator. In this case, you cannot even read the existing ACL. Of course, the administrator can always take the ownership of an object, but this erases the existing ACL of the object. This is bad because you cannot determine by the ACL the people who need to have access.<\/p>\n

Windows has a very handy concept of privileges. A privilege represents the right of an account, such as a user or group account, to perform various system-related operations on the local computer, such as shutting down the system, loading device drivers, or changing the system time. Privileges differ from access rights in two ways:<\/p>\n