Give access to folder, its subfolders and all files to a user/group in Windows


I need to give read/execute and modify permissions to a user or group on a folder like:


and include all of its subfolders and files.

I need to do it using Powershell script.

Any ideas?


Below script block will give you an idea. Replace the necessory values and also if your subfolder are set to inherit the permission, you don’t need to set the same to subfoders.
$folder = ‘F:\Data\MSSQL\MSSQL11.MyInst’
$ACL = Get-Acl $folder
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(“Administrators”,“Fullcontrol”,“Allow”)
Set-Acl $folder $AccessRule

Did not work:

PS D:\MyFolder>
PS D:\MyFolder> $folder = ‘E:\Folder1’
PS D:\MyFolder> $ACL = Get-Acl $folder
PS D:\MyFolder> $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators
PS D:\MyFolder> $ACL.SetAccessRule($AccessRule)
PS D:\MyFolder> Set-Acl $folder $AccessRule
Set-Acl : AclObject
At line:1 char:1

  • Set-Acl $folder $AccessRule
  • CategoryInfo : InvalidArgument: (System.Security…ystemAccessRule:FileSystemAccessRule) [Set-Acl], Arg
  • FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand

I’ve used something similar to this in my functions.

[pre]$FolderPath = “E:\Folder1”
$Group = “users”

$Acl = Get-Acl $FolderPath
$AccessRule = New-Object$Group,“Modify”,”ContainerInherit,ObjectInherit”,”None”,“Allow”)
Set-Acl -Path $FolderPath -AclObject $Acl -confirm:$false -Passthru[/pre]

New Access rule looks like this:
[pre]FileSystemRights : Modify, Synchronize
AccessControlType : Allow
IdentityReference : users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None[/pre]



Here’s a function I wrote a lifetime ago, it should do what you’re after:

Function Change-ACL
This function will add or remove an ACE to the ACL for a directory.

This function will add or remov e an ACE to the ACL for a directory.

.PARAMETER Directory
This is the directory you will add/remove an ACE for.

These are the UserNames of the user(s) you want to change permissions for.

.PARAMETER AccessLevel
This is the level of accesss you want to grant for the user(s). If you are removing perissions, all inherited levels are removed

This switch specifies whether to add the permissions specified in the AccessLevel Parameter

This switch specifies whether to remove the user’s permissions



Version: 1.2
Author: Lars Panzerbjrn
Creation Date: 2017.11.01
Purpose/Change: Initial script development
Changed 2019.02.25 LP: Changed function to also Remove permissions; implemented Parameter Sets

Change-ACL -Directory “\lonfs1\InfServices\Sec\SecOps” -UserNames Panzerbjrn_L_a -AccessLevel Write -Add

This will give the user Panzerbjrn_L_a access to write to the directory.

Change-ACL -Directory “\lonfs1\InfServices\Sec\SecOps” -UserNames Panzerbjrn_L_a -Remove

This will remove the user Panzerbjrn_L_a from the ACL for the directory.




$Path = $Directory
$TestedPath = Test-Path $Path
IF($TestedPath -eq $False) {Write-Verbose “$($Path) Doesn’t exist; thank you please come again”;break}
$ACL = (Get-Item $Path).GetAccessControl(‘Access’)

ForEach ($UserName in $UserNames)
$USR = Get-ADUser -Filter {SamAccountName -like $UserName} -Properties *
$Usrname = "BDS"+$USR.SamaccountName
$Inherit = []“ContainerInherit, ObjectInherit”
$Propagation = []“None”
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Usrname, $AccessLevel, $Inherit, $Propagation, “Allow”)
IF(($Add) -OR ($Remove)) {Set-Acl -path $Path -AclObject $Acl}
ELSE {Write-Verbose “No Add or Remove action was specified”}

BUT, do your self a huge favour, and use groups to delegate access, not direct access by adding users to the ACL for folders/files/drives…