PowerShell: Add Windows NTFS Permissions to File or Folder

The re-usable function:

$path='C:\Windows\servicing'
$accountsToAdd='Administrators'
$permissions='Full'

function addNtfsPermissions ($path,$accountsToAdd,$permissions){
  $acl = Get-ACL $path
  $accessRule=New-Object System.Security.AccessControl.FileSystemAccessRule($accountsToAdd,$permissions,"Allow")
  $acl.AddAccessRule($accessRule)
  Set-Acl $path $acl
  Get-ACL $path
}

addNtfsPermissions $path $accountsToAdd $permissions

Example:

The following is an output of fixing an issue related to ‘TrustedInstaller will not run. Windows Module Installer service missing’ errors.

$computernames=@(
  'TESTWINDOWS1',
  'TESTWINDOWS2'
  )

$path='C:\Windows\servicing'
$accountsToAdd='Administrators'
$permissions='Full'

function addNtfsPermissions ($path,$accountsToAdd,$permissions){
  $acl = Get-ACL $path
  $accessRule=New-Object System.Security.AccessControl.FileSystemAccessRule($accountsToAdd,$permissions,"Allow")
  $acl.AddAccessRule($accessRule)
  Set-Acl $path $acl
  Get-ACL $path
}

foreach($computername in $computernames){
  invoke-command -computername $computername -scriptblock{
    param($addNtfsPermissions,$path,$accountsToAdd,$permissions)
    write-host "Invoking function on $env:computername"
    [scriptblock]::create($addNtfsPermissions).invoke($path,$accountsToAdd,$permissions)
    start-service trustedinstaller
    get-service trustedinstaller
  } -ArgumentList ${function:addNtfsPermissions},$path,$accountsToAdd,$permissions
}
[TESTWINDOWS]: PS C:\Users\kimconnect\Documents> Get-ACL $localPath|select *

PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\Windows\servicing
PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\Windows
PSChildName             : servicing
PSDrive                 : C
PSProvider              : Microsoft.PowerShell.Core\FileSystem
CentralAccessPolicyId   :
CentralAccessPolicyName :
Path                    : Microsoft.PowerShell.Core\FileSystem::C:\Windows\servicing
Owner                   : NT SERVICE\TrustedInstaller
Group                   : NT SERVICE\TrustedInstaller
Access                  : {System.Security.AccessControl.FileSystemAccessRule,
                          System.Security.AccessControl.FileSystemAccessRule,
                          System.Security.AccessControl.FileSystemAccessRule,
                          System.Security.AccessControl.FileSystemAccessRule...}
Sddl                    : O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-34185226
                          49-1831038044-1853292631-2271478464D:PAI(A;OICIIO;GXGR;;;SY)(A;;0x1200a9;;;SY)(A;;FA;;;BA)(A;
                          OICIIO;GXGR;;;BA)(A;OICIIO;GXGR;;;BU)(A;;0x1200a9;;;BU)(A;OICIIO;GA;;;S-1-5-80-956008885-3418
                          522649-1831038044-1853292631-2271478464)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-185
                          3292631-2271478464)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;
                          GXGR;;;S-1-15-2-2)
AccessToString          : NT AUTHORITY\SYSTEM Allow  -1610612736
                          NT AUTHORITY\SYSTEM Allow  ReadAndExecute, Synchronize
                          BUILTIN\Administrators Allow  FullControl
                          BUILTIN\Administrators Allow  -1610612736
                          BUILTIN\Users Allow  -1610612736
                          BUILTIN\Users Allow  ReadAndExecute, Synchronize
                          NT SERVICE\TrustedInstaller Allow  268435456
                          NT SERVICE\TrustedInstaller Allow  FullControl
                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  -1610612736
                          APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  ReadAndExecute,
                          Synchronize
                          APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  -1610612736
AuditToString           :
AccessRightType         : System.Security.AccessControl.FileSystemRights
AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule
AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True

[TESTWINDOWS]: PS C:\Users\kimconnect\Documents> get-service trustedinstaller
Status   Name               DisplayName
------   ----               -----------
Stopped  trustedinstaller   Windows Modules Installer

[TESTWINDOWS]: PS C:\Users\kimconnect\Documents> get-service trustedinstaller|start-service
[TESTWINDOWS]: PS C:\Users\kimconnect\Documents> get-service trustedinstaller
Status   Name               DisplayName
------   ----               -----------
Running  trustedinstaller   Windows Modules Installer

PS C:\Windows\system32> get-service -Name trustedinstaller -ComputerName $computernames|start-service

PS C:\Windows\system32> get-service -Name trustedinstaller -ComputerName $computernames|select MachineName,ServiceName,S
tartType,Status

MachineName     ServiceName      StartType  Status
-----------     -----------      ---------  ------
TESTWINDOWS0001 trustedinstaller    Manual Running
TESTWINDOWS0002 trustedinstaller    Manual Running

Leave a Reply

Your email address will not be published. Required fields are marked *