ACL

calendar May 2, 2023 · 2 min read · acl permissions  ·
Share on: linkedin copy

Overview

Get ACL permissions

  1. The script retrieves the Access Control List (ACL) for a specified UNC path, resolving the Security Identifiers (SIDs) to their corresponding account names.
  2. It provides a plain-text description of the access rights (e.g., read or write) associated with each account.
  3. The output, including the SID, account name, and access rights, is saved to a CSV file for further analysis or reporting.
 1function Get-AccessDescription($AccessMask) {
 2    $AccessRights = @()
 3
 4    if ($AccessMask -band 0x1) { $AccessRights += "ReadData (List Directory)" }
 5    if ($AccessMask -band 0x2) { $AccessRights += "WriteData (Create Files)" }
 6    if ($AccessMask -band 0x4) { $AccessRights += "AppendData (Create Folders)" }
 7    if ($AccessMask -band 0x8) { $AccessRights += "ReadExtendedAttributes" }
 8    if ($AccessMask -band 0x10) { $AccessRights += "WriteExtendedAttributes" }
 9    if ($AccessMask -band 0x20) { $AccessRights += "ExecuteFile (Traverse Folder)" }
10    if ($AccessMask -band 0x40) { $AccessRights += "DeleteSubdirectoriesAndFiles" }
11    if ($AccessMask -band 0x80) { $AccessRights += "ReadAttributes" }
12    if ($AccessMask -band 0x100) { $AccessRights += "WriteAttributes" }
13    if ($AccessMask -band 0x10000) { $AccessRights += "Delete" }
14    if ($AccessMask -band 0x20000) { $AccessRights += "ReadControl" }
15    if ($AccessMask -band 0x40000) { $AccessRights += "WriteDACL" }
16    if ($AccessMask -band 0x80000) { $AccessRights += "WriteOwner" }
17    if ($AccessMask -band 0x100000) { $AccessRights += "Synchronize" }
18
19    return ($AccessRights -join ', ')
20}
21
22$Path = "\\server\share"
23$OutputFile = "AccessList.csv"
24$ACL = Get-Acl -Path $Path
25$AccessList = @()
26
27foreach ($ACE in $ACL.Access) {
28    try {
29        $Account = $ACE.IdentityReference.Value
30        $SID = (New-Object System.Security.Principal.NTAccount($Account)).Translate([System.Security.Principal.SecurityIdentifier]).Value
31        $AccessDescription = Get-AccessDescription $ACE.FileSystemRights
32
33        $AccessEntry = New-Object PSObject -Property @{
34            SID = $SID
35            AccountName = $Account
36            AccessRights = $AccessDescription
37        }
38        $AccessList += $AccessEntry
39    } catch {
40        $AccessEntry = New-Object PSObject -Property @{
41            SID = "Not found or not resolvable"
42            AccountName = "Not found or not resolvable"
43            AccessRights = "Not found or not resolvable"
44        }
45        $AccessList += $AccessEntry
46    }
47}
48
49$AccessList | Export-Csv -Path $OutputFile -NoTypeInformation

Set ACL permissions

WARNING

This is untested!

Full Control

1(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "FullControl", "Allow"))) | Set-Acl -Path "\\server\share"

Modify

1(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "Modify", "Allow"))) | Set-Acl -Path "\\server\share"

Read & Execute

1(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "ReadAndExecute", "Allow"))) | Set-Acl -Path "\\server\share"

List Folder Contents

1(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "ListDirectory", "Allow"))) | Set-Acl -Path "\\server\share"

Read

1(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "Read", "Allow"))) | Set-Acl -Path "\\server\share"

Write

1(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "Write", "Allow"))) | Set-Acl -Path "\\server\share"