24/7/365 Support

Get the ACL of a File or Directory in PowerShell

Problem

You want to retrieve the ACL of a file or directory.

Solution

To retrieve the ACL of a file, use the GetAcl cmdlet: PS >GetAcl example.txt

Directory: Microsoft.PowerShell.Core\FileSystem::C:\temp

Path
Owner
Access

example.txt
LEEDESK\Lee
BUILTIN\Administrator...

Discussion

The GetAcl cmdlet retrieves the security descriptor of an item. This cmdlet doesn’t work only against the filesystem, however. Any provider (for example, the Registry provider) that supports the concept of security descriptors also supports the GetAcl cmdlet.

The GetAcl cmdlet returns an object that represents the security descriptor of the item and is specific to the provider that contains the item. In the filesystem, this returns a .NET System.Security.AccessControl.FileSecurity object that you can explore for further information. For example, Example 174 searches a directory for possible ACL misconfigurations by ensuring that each file contains an Administrators, Full Control ACL.

Example 174. GetAclMisconfiguration.ps1

############################################################################## ## ## GetAclMisconfiguration.ps1 ## ## Demonstration of functionality exposed by the GetAcl cmdlet. This script ## goes through all access rules in all files in the current directory, and ## ensures that the Administrator group has full control of that file. ## ##############################################################################

## Get all files in the current directory foreach($file in GetChildItem) {

## Retrieve the ACL from the current file $acl = GetAcl $file if(not $acl) {

continue }

$foundAdministratorAcl = $false

## Go through each access rule in that ACL foreach($accessRule in $acl.Access) {

## If we find the Administrator, Full Control access rule, ## then set the $foundAdministratorAcl variable if(($accessRule.IdentityReference like "*Administrator*") and

($accessRule.FileSystemRights eq "FullControl")) { $foundAdministratorAcl = $true } }

## If we didn't find the administrator ACL, output a message if(not $foundAdministratorAcl)

Example 174. GetAclMisconfiguration.ps1 (continued)

{ "Found possible ACL Misconfiguration: $file" } }

Help Category:

Get Windows Dedicated Server

Only reading will not help you, you have to practice it! So get it now.

Processor RAM Storage Server Detail
Intel Atom C2350 1.7 GHz 2c/2t 4 GB DDR3 1× 1 TB (HDD SATA) Configure Server
Intel Atom C2350 1.7 GHz 2c/2t 4 GB DDR3 1× 128 GB (SSD SATA) Configure Server
Intel Atom C2750 2.4 GHz 8c/8t 8 GB DDR3 1× 1 TB (HDD SATA) Configure Server
Intel Xeon E3-1230 v2 3.3 GHz 4c/8t 16 GB DDR3 1× 256 GB (SSD SATA) Configure Server
Intel Atom C2350 1.7 GHz 2c/2t 4 GB DDR3 1× 250 GB (SSD SATA) Configure Server

What Our Clients Say