Last Update: Sep 04, 2024 | Published: Sep 11, 2020
System.Security.AccessControl.FileSystemRights.
[System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights])It may not always be clear what these permissions can do though and they are broken up into basic permissions and advanced permissions. Basic Permissions
Get-ACL
cmdlet we can easily retrieve the access rules on an object.
Get-ACL -Path "Folder1"The default view doesn’t give us a ton of information, so let’s expand the
access
property more to see what permissions are set on this folder.
(Get-ACL -Path "Folder1").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSizeAs you can see there are a lot more permissions here than seen at first glance. What is seen above are typical user permissions on a newly created folder. What if we create a new file and see what its permissions are?
(Get-ACL -Path "Test1.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSizeAs you might be able to tell, these are a bit different and don’t container the much of the inheritance type of access rules that folders need.
FileSystemAccessRule
to applySet-ACL
To craft the rule itself, we need to create the FileSystemAccessRule
which has a constructor like so: Identity String, FileSystemRights, AccessControlType.$ACL = Get-ACL -Path "Test1.txt" $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("TestUser1","Read","Allow") $ACL.SetAccessRule($AccessRule) $ACL | Set-Acl -Path "Test1.txt" (Get-ACL -Path "Test1.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSizeAs seen in the above process, it is quick and easy to change the permissions and the constructors for the
FileSystemAccessRule
object are straightforward.
TestUser1
to have Read access to our file, what if we wanted to copy that same permission set to another file? Since we have already done the hard work of adding the new access rule, we can use the PowerShell pipeline ability to transfer the permissions from one object to another.
Get-ACL -Path "Test1.txt" | Set-ACL -Path "Test2.txt" (Get-ACL -Path "Test2.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
TestUser1
shouldn’t have permission to the Test1.txt
file. The difference in removing the rule is that we need to recreate the exact FileSystemAccessRule
that we want to remove. This is an explicit means of removing permissions that removes ambiguity about what permission to remove. We will approach this very similar to how we added a permission.
$ACL = Get-ACL -Path "Test1.txt" $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("TestUser1","Read","Allow") $ACL.RemoveAccessRule($AccessRule) $ACL | Set-Acl -Path "Test1.txt" (Get-ACL -Path "Test1.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSizeAs you can see above, we removed the
read
permission from this object. The synchronize
permission is a special permission that the operating system uses to maintain proper control over the file and folder permissions.
SetAccessRuleProtection
method with the constructor: isProtected, preserveInheritance. The first isProtected
property defines whether or not the folder inherits its access permissions or not. Setting this value to $true
will disable inheritance as seen in the example below.
The secondary property, preserveInheritance
allows us to copy the existing inherited permissions onto the object if we are removing inheritance. This can be very important so that we do not lose our access to an object but may not be desired.
$ACL = Get-Acl -Path "Folder1" $ACL.SetAccessRuleProtection($true,$false) $ACL | Set-Acl -Path "Folder1"
You may get an error of, Set-Acl: The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
which means that you should run this process under an Administrator account.
Note how the permissions are no longer true under IsInherited
. This means that we have copied over the permissions successfully and broken inheritance on this folder.
SetOwner
method. After running a Get-ACL
command, we can see that the owner has changed to our new user.
$ACL = Get-Acl -Path "Folder1" $User = New-Object System.Security.Principal.Ntaccount("TestUser1") $ACL.SetOwner($User) $ACL | Set-Acl -Path "Folder1" Get-ACL -Path "Folder1"