Posts
May 2, 2023
2 min read
Windows ACL Management with PowerShell
A comprehensive collection of PowerShell scripts for managing Windows Access Control Lists (ACLs), including permission enumeration, modification, and analysis tools with detailed permission descriptions.
Get ACL permissions
- The script retrieves the Access Control List (ACL) for a specified UNC path, resolving the Security Identifiers (SIDs) to their corresponding account names.
- It provides a plain-text description of the access rights (e.g., read or write) associated with each account.
- The output, including the SID, account name, and access rights, is saved to a CSV file for further analysis or reporting.
function Get-AccessDescription($AccessMask) {
$AccessRights = @()
if ($AccessMask -band 0x1) { $AccessRights += "ReadData (List Directory)" }
if ($AccessMask -band 0x2) { $AccessRights += "WriteData (Create Files)" }
if ($AccessMask -band 0x4) { $AccessRights += "AppendData (Create Folders)" }
if ($AccessMask -band 0x8) { $AccessRights += "ReadExtendedAttributes" }
if ($AccessMask -band 0x10) { $AccessRights += "WriteExtendedAttributes" }
if ($AccessMask -band 0x20) { $AccessRights += "ExecuteFile (Traverse Folder)" }
if ($AccessMask -band 0x40) { $AccessRights += "DeleteSubdirectoriesAndFiles" }
if ($AccessMask -band 0x80) { $AccessRights += "ReadAttributes" }
if ($AccessMask -band 0x100) { $AccessRights += "WriteAttributes" }
if ($AccessMask -band 0x10000) { $AccessRights += "Delete" }
if ($AccessMask -band 0x20000) { $AccessRights += "ReadControl" }
if ($AccessMask -band 0x40000) { $AccessRights += "WriteDACL" }
if ($AccessMask -band 0x80000) { $AccessRights += "WriteOwner" }
if ($AccessMask -band 0x100000) { $AccessRights += "Synchronize" }
return ($AccessRights -join ', ')
}
$Path = "\\server\share"
$OutputFile = "AccessList.csv"
$ACL = Get-Acl -Path $Path
$AccessList = @()
foreach ($ACE in $ACL.Access) {
try {
$Account = $ACE.IdentityReference.Value
$SID = (New-Object System.Security.Principal.NTAccount($Account)).Translate([System.Security.Principal.SecurityIdentifier]).Value
$AccessDescription = Get-AccessDescription $ACE.FileSystemRights
$AccessEntry = New-Object PSObject -Property @{
SID = $SID
AccountName = $Account
AccessRights = $AccessDescription
}
$AccessList += $AccessEntry
} catch {
$AccessEntry = New-Object PSObject -Property @{
SID = "Not found or not resolvable"
AccountName = "Not found or not resolvable"
AccessRights = "Not found or not resolvable"
}
$AccessList += $AccessEntry
}
}
$AccessList | Export-Csv -Path $OutputFile -NoTypeInformation
Set ACL permissions
Full Control
(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "FullControl", "Allow"))) | Set-Acl -Path "\\server\share"
Modify
(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "Modify", "Allow"))) | Set-Acl -Path "\\server\share"
Read & Execute
(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "ReadAndExecute", "Allow"))) | Set-Acl -Path "\\server\share"
List Folder Contents
(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "ListDirectory", "Allow"))) | Set-Acl -Path "\\server\share"
Read
(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "Read", "Allow"))) | Set-Acl -Path "\\server\share"
Write
(Get-Acl -Path "\\server\share").AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("<SID>", "Write", "Allow"))) | Set-Acl -Path "\\server\share"
Connected Reading
Related entries
Chosen from shared tags, categories, and nearby section context.
Search Domain GPOs for Any Text String with PowerShell
A PowerShell approach for searching every Group Policy Object in an Active Directory domain for any string or setting reference.
Reset Passwords For All Users in an OU
Bulk reset Active Directory user passwords for every account in a specific OU, export results to CSV, and log the exact target list for auditability.
Export Exchange Inbox Rules with Exchange Online PowerShell
Two companion PowerShell scripts: one for auditing inbox rules across an entire tenant, and another for inspecting rules for a single mailbox - perfect for threat hunting, compliance, and incident response.
Troubleshooting N-Central Take Control
Steps to take when N-Central’s Take Control remote access feature isn’t working, including how to restart the necessary services.
