Category Archives: Acl

Set-Acl

NAME
    Set-Acl

SYNOPSIS
    Changes the security descriptor of a specified resource, such as a file or a Registry key.

SYNTAX
    Set-Acl [-Path] <string[]> [-AclObject] <ObjectSecurity> [-Exclude <string[]>] [-Filter <string>] [-Include <string[]>] [-Passthru] [-Confirm] [-WhatIf] [-UseTransaction] [<CommonParameters>]

DESCRIPTION
    The Set-Acl cmdlet changes the security descriptor of a specified resource, such as a file or a Registry key, to match the values in a security descriptor that you supply.

    To use Set-Acl, use the Path parameter to identify the resource whose security descriptor you want to change, and use the AclObject parameter to supply a security descriptor that has the values you want to apply. Set-Acl uses the value of the AclObject parameter as a model and changes the values in the resource’s security descriptor to match the values in the AclObject parameter.

PARAMETERS
    -AclObject <ObjectSecurity>
        Specifies an ACL with the desired property values. Set-Acl changes the ACL of resource specified by the Path parameter to match the values in the specified security object.

        You can save the output of a Get-Acl command in a Variable and then use the AclObject parameter to pass the Variable, or type a Get-Acl command.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

    -Exclude <string[]>
        Omits the specified items. The value of this parameter qualifies the Path parameter. Enter a path element or pattern, such as “*.txt”. Wildcards are permitted.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Filter <string>
        Specifies a filter in the provider’s format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Include <string[]>
        Changes only the specified items. The value of this parameter qualifies the Path parameter. Enter a path element or pattern, such as “*.txt”. Wildcards are permitted.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Passthru [<SwitchParameter>]
        Returns an object representing the security descriptor. By default, this cmdlet does not generate any output.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Path <string[]>
        Identifies the resource whose security descriptor you want to change. Enter the path to a resource, such as a path to a file or Registry key. Wildcards are permitted.

        If you pass a security object to Set-Acl (either by using the AclObject parameter or by passing an object from Get-Acl to Set-Acl), and you omit the Path parameter (name and value), Set-Acl uses the path that is included in the security object.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     true (ByPropertyName)
        Accept wildcard characters? false

    -Confirm [<SwitchParameter>]
        Prompts you for confirmation before executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -WhatIf [<SwitchParameter>]
        Describes what would happen if you executed the command without actually executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -UseTransaction [<SwitchParameter>]
        Includes the command in the active transaction. This parameter is valid only when a transaction is in progress. For more information, see about_transactions.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.Security.AccessControl.ObjectSecurity
        You can pipe a security descriptor to Set-Acl.

OUTPUTS
    None or security object
        By default, Set-Acl does not generate any output. However, if you use the -Passthru parameter, it generates a security object. The type of the security object depends on the type of the resource.

NOTES

        The Set-Acl cmdlet is supported by the Windows PowerShell file system and Registry providers. As such, you can use it to change the security descriptors of files, directories, and Registry keys.

        When specifying multiple values for a parameter, use commas to separate the values. For example, “<parameter-name> <value1>, <value2>”.

    ————————– EXAMPLE 1 ————————–

    C:\PS>$DogACL = Get-Acl c:\dog.txt

    C:\PS>Set-Acl -Path C:\cat.txt -AclObject $DogACL

    Description
    ———–
    These commands copy the values from the security descriptor of the Dog.txt file to the security descriptor of the Cat.txt file. When the commands complete, the security descriptors of the Dog.txt and Cat.txt files are identical.

    The first command uses the Get-Acl cmdlet to get the security descriptor of the Dog.txt file. The assignment operator (=) stores the security descriptor in the value of the $DogACL Variable.

    The second command uses Set-Acl to change the values in the ACL of Cat.txt to the values in $DogACL.

    The value of the Path parameter is the path to the Cat.txt file. The value of the AclObject parameter is the model ACL, in this case, the ACL of Dog.txt as saved in the $DogACL Variable.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Get-Acl c:\dog.txt | Set-Acl -Path C:\cat.txt

    Description
    ———–
    This command is almost the same as the command in the previous example, except that it uses a pipeline operator to send the security descriptor retrieved in a Get-Acl command to a Set-Acl command.

    The first command uses the Get-Acl cmdlet to get the security descriptor of the Dog.txt file. The pipeline operator (|) passes an object that represents the Dog.txt security descriptor to the Set-Acl command.

    The second command uses Set-Acl to apply the security descriptor of Dog.txt to Cat.txt. When the command completes, the ACLs of the Dog.txt and Cat.txt files are identical.

    ————————– EXAMPLE 3 ————————–

    C:\PS>$newACL = Get-Acl file0.txt

    C:\PS>Get-ChildItem c:\temp -recurse -Include *.txt -force | Set-Acl -AclObject $newacl

    Description
    ———–
    These commands apply the security descriptors in the File0.txt file to all text files in the C:\Temp directory and all of its subdirectories.

    The first command gets the security descriptor of the File0.txt file in the current directory and uses the assignment operator (=) to store it in the $newACL Variable.

    The first command in the pipeline uses the Get-ChildItem cmdlet to get all of the text files in the C:\Temp directory. The Recurse parameter extends the command to all subdirectories of C:\temp. The Include parameter limits the files retrieved to those with the “.txt” file name extension. The Force parameter gets hidden files, which would otherwise be excluded. (You cannot use “c:\temp\*.txt”, because the Recurse parameter works on directories, not on files.)

    The pipeline operator (|) sends the objects representing the retrieved files to Set-Acl command, which applies the security descriptor in the AclObject parameter to all of the files in the pipeline.

    In practice, it is best to use the Whatif parameter with all Set-Acl commands that can affect more than one resource. In this case, the second command in the pipeline would be “Set-Acl -AclObject $newacl -WhatIf“. This command lists the files that would be affected by the command. After reviewing the result, you can run the command again without the Whatif parameter.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113389
    Get-Acl

Get-Acl

NAME
    Get-Acl

SYNOPSIS
    Gets the security descriptor for a resource, such as a file or Registry key.

SYNTAX
    Get-Acl [[-Path] <string[]>] [-Audit] [-Exclude <string[]>] [-Filter <string>] [-Include <string[]>] [-UseTransaction] [<CommonParameters>]

DESCRIPTION
    The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.

PARAMETERS
    -Audit [<SwitchParameter>]
        Gets the audit data for the security descriptor from the system access control list (SACL).

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Exclude <string[]>
        Omits the specified items. The value of this parameter qualifies the Path parameter. Enter a path element or pattern, such as “*.txt”. Wildcards are permitted.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Filter <string>
        Specifies a filter in the provider’s format or language. The value of this parameter qualifies the Path parameter. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficient than other parameters, because the provider applies them when retrieving the objects, rather than having Windows PowerShell filter the objects after they are retrieved.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Include <string[]>
        Retrieves only the specified items. The value of this parameter qualifies the Path parameter. Enter a path element or pattern, such as “*.txt”. Wildcards are permitted.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Path <string[]>
        Specifies the path to a resource. Get-Acl gets the security descriptor of the resource indicated by the path. Wildcards are permitted. If you omit the Path parameter, Get-Acl gets the security descriptor of the current directory.

        The parameter name (“Path”) is optional.

        Required?                    false
        Position?                    1
        Default value
        Accept pipeline input?     true (ByValue, ByPropertyName)
        Accept wildcard characters? false

    -UseTransaction [<SwitchParameter>]
        Includes the command in the active transaction. This parameter is valid only when a transaction is in progress. For more information, see about_transactions.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.String
        You can pipe a string that contains a path to Get-Acl.

OUTPUTS
    System.Security.AccessControl
        Get-Acl returns an object that represents the ACLs that it gets. The object type depends upon the ACL type.

NOTES

        By default, Get-Acl displays the Windows PowerShell path to the resource (<provider>::<resource-Path>), the owner of the resource, and “Access”, a list (array) of the access control entries in the discretionary access control list (DACL) for the resource. The DACL list is controlled by the resource owner.

        When you format the result as a list, (“Get-Acl | Format-List“), in addition to the path, owner, and access list, Windows PowerShell displays the following fields:

        — Group: The security group of the owner.

        — Audit: A list (array) of entries in the system access control list (SACL). The SACL specifies the types of access attempts for which Windows generates audit records.

        — Sddl: The security descriptor of the resource displayed in a single text string in Security Descriptor Definition Language format. Windows PowerShell uses the GetSddlForm method of security descriptors to retrieve this data.

        Because Get-Acl is supported by the file system and Registry providers, you can use Get-Acl to view the ACL of file system objects, such as files and directories, and Registry objects, such as Registry keys and entries.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-Acl C:\windows

    Description
    ———–
    This command gets the security descriptor of the C:Windows directory.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Get-Acl C:\Windows\k*.log | Format-List -property PSPath, Sddl

    Description
    ———–
    This command gets the Windows PowerShell path and SDDL for all of the .log files in the C:\Windows directory whose names begin with “k.”

    The command uses Get-Acl to get objects representing the security descriptors of each log file. It uses a pipeline operator (|) to send the results to the Format-List cmdlet. The command uses the Property parameter of Format-List to display only the PsPath and SDDL properties of each security descriptor object.

    Lists are often used in Windows PowerShell, because long values appear truncated in tables.

    The SDDL values are valuable to system administrators, because they are simple text strings that contain all of the information in the security descriptor. As such, they are easy to pass and store, and they can be parsed when needed.

    ————————– EXAMPLE 3 ————————–

    C:\PS>Get-Acl c:/windows/k*.log -Audit | ForEach-Object { $_.Audit.Count }

    Description
    ———–
    This command gets the security descriptors of the .log files in the C:\Windows directory whose names begin with “k.” It uses the Audit parameter to retrieve the audit records from the SACL in the security descriptor. Then it uses the For-EachObject parameter to count the number of audit records associated with each file. The result is a list of numbers representing the number of audit records for each log file.

    ————————– EXAMPLE 4 ————————–

    C:\PS>Get-Acl -Path hklm:\system\currentcontrolset\control | Format-List

    Description
    ———–
    This command uses Get-Acl to get the security descriptor of the Control subkey (HKLM\SYSTEM\CurrentControlSet\Control) of the Registry.

    The Path parameter specifies the Control subkey. The pipeline operator (|) passes the security descriptor that Get-Acl retrieves to the Format-List command, which formats the properties of the security descriptor as a list so that they are easy to read.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113305
    Set-Acl