Поделиться через


Getting Access Control Entries (ACEs) of directory objects in Powershell

You can use Get-Acl / Set-Acl cmdlets to change the security permissions of directory objects in Powershell; but Set-Acl does not give you any option other than making a copy-paste of one file's ACL to another. Simply you can get the Access Control List of one file with Get-Acl and then use Set-Acl to assign that ACL to whatever file(s) you want; but there is no way to change that ACL in the way like adding or removing new ACEs (at least with standart cmdlets; at least I dont know now if there is any)

Get-Ace indeed uses Get-Acl cmdlet and doing nothing special that you can't do with Get-Acl. So why we need that? It just exists to make things easier when one is using Set-Acl which is the subject of next post

Standart output of the Get-Ace (check the attachment for .ps1 file) with no parameters; this will return all of the ACEs which can be assigned to a variable

Get-Acl

 

Usage of the Get-Ace with -List and -Number parameter; -List parameter returns a numbered list so that you can associate an ACE with a number and call it later with -Number parameter. With -Number you can return single ACE from the ACL and assign it to a varibable. For example;

 $authUserAce = Get-Ace c:\ps\test.txt -Number 3

Get-Ace -List 

Cheers, CanD

Get-Ace.ps1

Comments