Using the Get-Acl Cmdlet
Retrieving the Security Descriptor for an Object
The Get-Acl cmdlet enables you to retrieve the security descriptor (access control list) for a file, a folder, or even a registry key. Note that, in order to view complete information for an object, you should pipe the results of Get-Acl through the Format-List cmdlet. For example, this command retrieves the security descriptor for the folder C:\Scripts, then displays that information as a list:
Get-Acl c:\scripts | Format-List
The resulting display will look something like this:
Path : Microsoft.Windows PowerShell.Core\FileSystem::C:\scripts
Owner : FABRIKAM\kenmyer
Group : FABRIKAM\Domain Users
Access : BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
FABRIKAM\kenmyer Allow FullControl
CREATOR OWNER Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow AppendData
BUILTIN\Users Allow CreateFiles
Audit :
Sddl : O:S-1-5-21-1454471165-1004336348-1606980848-8183G:DUD:(A;OICIID;FA;;;B
A)(A;OICIID;FA;;;SY)(A;ID;FA;;;S-1-5-21-1454471165-1004336348-16069808
48-8183)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A
;CIID;DC;;;BU)
Had we called Get-Acl without piping the results through Format-List the resulting display would have looked more like this:
Path Owner Access
---- ----- ------
Microsoft.Windows PowerShell.Co... BUILTIN\Administrators FABRIKAM\kenmyer Allow ...
Not quite as easy to decipher, to say the least.
Right, we did mention that Get-Acl can return the security descriptor for a registry key, didn’t we? This command returns security information for HKEY_CURRENT_USER\Software\Microsoft\Windows:
Get-Acl HKCU:\Software\Microsoft\Windows
You can also use wildcard characters to retrieve a set of objects. Need to review the security settings for all the .log files in C:\Scripts? Here you go:
Get-Acl c:\scripts\*.log | Format-List