Problem
You want to retrieve the ACL of a file or directory.
Solution
To retrieve the ACL of a file, use the GetAcl cmdlet: PS >GetAcl example.txt
Directory: Microsoft.PowerShell.Core\FileSystem::C:\temp
Path
Owner
Access
example.txt
LEEDESK\Lee
BUILTIN\Administrator...
Discussion
The GetAcl cmdlet retrieves the security descriptor of an item. This cmdlet doesn’t work only against the filesystem, however. Any provider (for example, the Registry provider) that supports the concept of security descriptors also supports the GetAcl cmdlet.
The GetAcl cmdlet returns an object that represents the security descriptor of the item and is specific to the provider that contains the item. In the filesystem, this returns a .NET System.Security.AccessControl.FileSecurity object that you can explore for further information. For example, Example 174 searches a directory for possible ACL misconfigurations by ensuring that each file contains an Administrators, Full Control ACL.
Example 174. GetAclMisconfiguration.ps1
############################################################################## ## ## GetAclMisconfiguration.ps1 ## ## Demonstration of functionality exposed by the GetAcl cmdlet. This script ## goes through all access rules in all files in the current directory, and ## ensures that the Administrator group has full control of that file. ## ##############################################################################
## Get all files in the current directory foreach($file in GetChildItem) {
## Retrieve the ACL from the current file $acl = GetAcl $file if(not $acl) {
continue }
$foundAdministratorAcl = $false
## Go through each access rule in that ACL foreach($accessRule in $acl.Access) {
## If we find the Administrator, Full Control access rule, ## then set the $foundAdministratorAcl variable if(($accessRule.IdentityReference like "*Administrator*") and
($accessRule.FileSystemRights eq "FullControl")) { $foundAdministratorAcl = $true } }
## If we didn't find the administrator ACL, output a message if(not $foundAdministratorAcl)
Example 174. GetAclMisconfiguration.ps1 (continued)
{ "Found possible ACL Misconfiguration: $file" } }