Backing up/Exporting and Restoring NTFS Perms using Get-ACL/Set-ACL

Hi all,

Trying to export NTFS permissions for a given filepath to .csv (which works fine), and then re-import it. To be used as a backup really.

So far I have the script below.

The backup section works - it exports the NTFS perms to a .csv all good and well.

The IMPORT process (Set-ACL) doesn’t work so well. This portion is a concoction of other scripts I have found online as i’m a bit of a powershell Novice but sort of know my way around.

Below the “Test” folder is a bunch of other sub-folders. Some with inherited permissions, some with explicit permissions with inheritance disabled.

When I run the import script, if inheritance is DISabled on all sub-folders it imports fine and restores the explicit permissions BUT it enables inheritance for all sub-folders regardless of if it was set before or not. If inheritance is ENabled then it completes but nothing changes. No perms are restored.

I’m at the end of my tether with it now and hope someone can point me in the right direction? Any help is appreciated.


Backup Permissions

Get-Childitem -path “D:\Test” -recurse | Where-Object {$_.PSIsContainer} | Get-ACL | Select-Object Path -ExpandProperty Access | Export-CSV “D:\NTFS Permissions.csv” -NoTypeInformation

Import NEEDS to be run as ADMINISTRATOR

$par = Import-Csv -Path “D:\NTFS Permissions.csv”
foreach ( $i in $par ) {
$path= $i.Path
$IdentityReference= $i.IdentityReference
$InheritanceFlags= $i.InheritanceFlags
echo $path $IdentityReference
$acl = Get-Acl “D:\Test”
$isProtected = $false
$preserveInheritance = $true
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$permission = $i.IdentityReference,$i.FileSystemRights,$i.AccessControlType
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
$acl | Set-Acl $path

The first thing is you are not doing anything with these variables:

$IdentityReference= $i.IdentityReference
$InheritanceFlags= $i.InheritanceFlags

It appears you are getting the ACL from another directory rather than using what is in the CSV. The accessrule should be filled in with the CSV values, take a look at: