This script is useful if you want to scan a root folder and get the acl (owner and NTFS security rights) of the subfolders.
Script :
$rootfolder = Get-ChildItem -Path \\server\user_home_root_folder foreach ($userfolder in $rootfolder) { $userfolder.FullName get-acl $userfolder.FullName | foreach {write-host "The owner is : " $_.Owner "`nNTFS Security rights : " $_.AccessToString} Write-Host "`n" }
Reference
The reference table flags of the object System.Security.AccessControl.FileSystemAccessRule is :
Subfolders and Files only | InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly |
This Folder, Subfolders and Files | InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.None |
This Folder, Subfolders and Files | InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit |
This folder and subfolders | InheritanceFlags.ContainerInherit, PropagationFlags.None |
Subfolders only | InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly |
This folder and files | InheritanceFlags.ObjectInherit, PropagationFlags.None |
This folder and files | InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit |
Get-acl
The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.
Beginning in Windows PowerShell 3.0, you can use the InputObject parameter of Get-Acl to get the security descriptor of objects that do not have a path.
Syntax
Parameter Set: ByPath Get-Acl [[-Path]] [-AllCentralAccessPolicies] [-Audit] [-Exclude ] [-Filter ] [-Include ] [-UseTransaction] [ ] Parameter Set: ByInputObject Get-Acl -InputObject [-AllCentralAccessPolicies] [-Audit] [-Exclude ] [-Filter ] [-Include ] [-UseTransaction] [ ] Parameter Set: ByLiteralPath Get-Acl [-AllCentralAccessPolicies] [-Audit] [-Exclude ] [-Filter ] [-Include ] [-LiteralPath ] [-UseTransaction] [ ]
Notes
By default, Get-Acl displays the Windows PowerShell path to the resource (
When you format the result as a list, (“Get-Acl | Format-List”), in addition to the path, owner, and access list, Windows PowerShell displays the following properties and property values:
— Group: The security group of the owner.
— Audit: A list (array) of entries in the system access control list (SACL). The SACL specifies the types of access attempts for which Windows generates audit records.
— Sddl: The security descriptor of the resource displayed in a single text string in Security Descriptor Definition Language format. Windows PowerShell uses the GetSddlForm method of security descriptors to get this data.
Because Get-Acl is supported by the file system and registry providers, you can use Get-Acl to view the ACL of file system objects, such as files and directories, and registry objects, such as registry keys and entries.