Play with folder ACL
Play with folder ACL

This script is useful if you want to scan a root folder and get the acl (owner and NTFS security rights) of the subfolders.

Script :

$rootfolder = Get-ChildItem -Path \\server\user_home_root_folder
foreach ($userfolder in $rootfolder) {
	get-acl $userfolder.FullName  | foreach {write-host "The owner is : " $_.Owner "`nNTFS Security rights : " $_.AccessToString}
	Write-Host "`n"


The reference table flags of the object System.Security.AccessControl.FileSystemAccessRule is :

Subfolders and Files only InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly
This Folder, Subfolders and Files InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.None
This Folder, Subfolders and Files InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit
This folder and subfolders InheritanceFlags.ContainerInherit, PropagationFlags.None
Subfolders only InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly
This folder and files InheritanceFlags.ObjectInherit, PropagationFlags.None
This folder and files InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit

The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.
Beginning in Windows PowerShell 3.0, you can use the InputObject parameter of Get-Acl to get the security descriptor of objects that do not have a path.


Parameter Set: ByPath
Get-Acl [[-Path]  ] [-AllCentralAccessPolicies] [-Audit] [-Exclude  ] [-Filter  ] [-Include  ] [-UseTransaction] [ ]

Parameter Set: ByInputObject
Get-Acl -InputObject  [-AllCentralAccessPolicies] [-Audit] [-Exclude  ] [-Filter  ] [-Include  ] [-UseTransaction] [ ]

Parameter Set: ByLiteralPath
Get-Acl [-AllCentralAccessPolicies] [-Audit] [-Exclude  ] [-Filter  ] [-Include  ] [-LiteralPath  ] [-UseTransaction] [ ]

By default, Get-Acl displays the Windows PowerShell path to the resource (::), the owner of the resource, and “Access”, a list (array) of the access control entries in the discretionary access control list (DACL) for the resource. The DACL list is controlled by the resource owner.
When you format the result as a list, (“Get-Acl | Format-List”), in addition to the path, owner, and access list, Windows PowerShell displays the following properties and property values:
— Group: The security group of the owner.
— Audit: A list (array) of entries in the system access control list (SACL). The SACL specifies the types of access attempts for which Windows generates audit records.
— Sddl: The security descriptor of the resource displayed in a single text string in Security Descriptor Definition Language format. Windows PowerShell uses the GetSddlForm method of security descriptors to get this data.
Because Get-Acl is supported by the file system and registry providers, you can use Get-Acl to view the ACL of file system objects, such as files and directories, and registry objects, such as registry keys and entries.

Play with folder ACL

Leave a Reply

Your email address will not be published. Required fields are marked *