Export (0) Print
Expand All
Expand Minimize
7 out of 15 rated this helpful - Rate this topic

Using the Get-Acl Cmdlet

Retrieving the Security Descriptor for an Object

The Get-Acl cmdlet enables you to retrieve the security descriptor (access control list) for a file, a folder, or even a registry key. Note that, in order to view complete information for an object, you should pipe the results of Get-Acl through the Format-List cmdlet. For example, this command retrieves the security descriptor for the folder C:\Scripts, then displays that information as a list:



Get-Acl c:\scripts | Format-List

The resulting display will look something like this:



Path   : Microsoft.Windows PowerShell.Core\FileSystem::C:\scripts
Owner  : FABRIKAM\kenmyer
Group  : FABRIKAM\Domain Users
Access : BUILTIN\Administrators Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         FABRIKAM\kenmyer Allow  FullControl
         CREATOR OWNER Allow  268435456
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  AppendData
         BUILTIN\Users Allow  CreateFiles
Audit  :
Sddl   : O:S-1-5-21-1454471165-1004336348-1606980848-8183G:DUD:(A;OICIID;FA;;;B
         A)(A;OICIID;FA;;;SY)(A;ID;FA;;;S-1-5-21-1454471165-1004336348-16069808
         48-8183)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A
         ;CIID;DC;;;BU)

Had we called Get-Acl without piping the results through Format-List the resulting display would have looked more like this:



Path                       Owner                      Access
----                       -----                      ------
Microsoft.Windows PowerShell.Co... BUILTIN\Administrators     FABRIKAM\kenmyer Allow ...

Not quite as easy to decipher, to say the least.

Right, we did mention that Get-Acl can return the security descriptor for a registry key, didn’t we? This command returns security information for HKEY_CURRENT_USER\Software\Microsoft\Windows:



Get-Acl HKCU:\Software\Microsoft\Windows

You can also use wildcard characters to retrieve a set of objects. Need to review the security settings for all the .log files in C:\Scripts? Here you go:



Get-Acl c:\scripts\*.log | Format-List

Related Links

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.