Problem
You want to change the ACL of a file or directory.
Solution
To change the ACL of a file, use the SetAcl cmdlet. This example prevents the Guest account from accessing a file:
$acl = GetAcl example.txt
$arguments = "LEEDESK\Guest","FullControl","Deny"
$accessRule =
NewObject System.Security.AccessControl.FileSystemAccessRule $arguments
$acl.SetAccessRule($accessRule)
$acl | SetAcl example.txt
Discussion
The SetAcl cmdlet sets the security descriptor of an item. This cmdlet doesn’t work only against the filesystem, however. Any provider (for example, the Registry provider) that supports the concept of security descriptors also supports the SetAcl cmdlet.
The SetAcl cmdlet requires that you provide it with an ACL to apply to the item. While it is possible to construct the ACL from scratch, it is usually easiest to retrieve it from the item beforehand (as demonstrated in the solution). To retrieve the ACL, use the GetAcl cmdlet. Once you’ve modified the access control rules on the ACL, simply pipe them to the SetAcl cmdlet to make them permanent.
In the solution, the $arguments list that we provide to the FileSystemAccessRule constructor explicitly sets a Deny rule on the Guest account of the LEEDESK computer for FullControl permission. For more information about working with classes (such as the FileSystemAccessRule class) from the .NET Framework.
Although the SetAcl command is powerful, you may already be familiar with commandline tools that offer similar functionality (such as cacls.exe). Although these tools generally do not work on the registry (or other providers that support PowerShell security descriptors), you can of course continue to use these tools from PowerShell.
For more information about the SetAcl cmdlet, type GetHelp SetAcl. For more information about the GetAcl cmdlet.
