Ever update permissions in Windows Explorer only to get repeated errors about updates that were blocked, probably because you didn’t have Owner privileges on the file? In the aftermath (or in advance, if you think of it), it can be helpful to know which files in a folder don’t inherit permissions so you can go in and take ownership.
As always, use scripts that you find online at your own risk!
I found a script in a Spiceworks thread and enhanced it a bit. Output is saved in three .csv files, which is handy for manipulation in Excel. Copy this to a PowerShell script, e.g. ListFilesThatDontInheritPermissions.ps1. Update the paths at the top as desired.
# 03/26/2020
# From https://community.spiceworks.com/topic/493582-list-file-permissions-that-are-not-inherited
#
# Use after applying permissions in Explorer, setting to force inheritence, and getting those annoying
# messages on files that can't be updated (probably because they are not owned by Administrators).
#
# I enhanced to list files whose paths are too long (> 260)
$search_folder = "C:\Users"
$out_toolong = "C:\Users\Public\Documents\not_inherited_pathtoolong.csv"
$out_file = "C:\Users\Public\Documents\not_inherited.csv"
$out_error = "C:\Users\Public\Documents\not_inherited_errors.csv"
$items = Get-ChildItem -Path $search_folder -recurse
$toolong = @()
$found = @()
$errors = @()
ForEach ($item in $items) {
if ($item.fullname.length -gt 260) {
$toolong += New-Object -TypeName PSObject -Property @{
Length = $item.fullname.length
FullPath = $item.fullname
}
}
else {
# Get-Acl won't work if path is too long, so only try on "else"
try {
$acl = Get-Acl $item.fullname -ErrorAction Stop # Run "catch" even on non-terminating error
ForEach ($entry in $acl.access) {
If (!$entry.IsInherited) {
$found += New-Object -TypeName PSObject -Property @{
FullPath = $item.fullname
Owner = $acl.Owner
Access = $entry.FileSystemRights
Control = $entry.AccessControlType
User = $entry.IdentityReference
Inheritance = $entry.IsInherited
}
}
}
} catch {
$errors += New-Object -TypeName PSObject -Property @{
FullPath = $item.fullname
Owner = $acl.Owner
Error = $_.exception
}
}
}
}
$toolong |
Select-Object -Property Length,FullPath |
Export-Csv -NoTypeInformation -Path $out_toolong
$found |
Select-Object -Property FullPath,Owner,User,Control,Access,Inheritance |
Export-Csv -NoTypeInformation -Path $out_file
$errors |
Select-Object -Property FullPath,Owner,Error |
Export-Csv -NoTypeInformation -Path $out_error
Bonus: Find File Names Over 260 Characters Long
Updating the above script, I had to work around errors caused by file paths that were over 260 characters long. Since this is actually a separate issue from the permissions issue, I extracted a small script that will list those files. Copy this to ListFilePathsOver260Long.ps1:
# 03/24/2020
# Adapted from ListFilesThatDontInheritPermissions.ps1
$search_folder = "C:\Users"
$out_toolong = "C:\Users\Public\Documents\pathtoolong.csv"
$items = Get-ChildItem -Path $search_folder -recurse
$toolong = @()
$found = @()
$errors = @()
ForEach ($item in $items) {
if ($item.fullname.length -gt 260) {
$toolong += New-Object -TypeName PSObject -Property @{
Length = $item.fullname.length
FullPath = $item.fullname
}
}
}
$toolong |
Select-Object -Property Length,FullPath |
Export-Csv -NoTypeInformation -Path $out_toolong