beawolf - Fotolia
How do I manage ACL folder permissions with a PowerShell script?
PowerShell scripts make short work of repetitive Windows tasks, saving admins time, effort and frustration. One simple area admins can manage with scripts is the access control list.
Automation can save IT admins from repetitive and manual operations tasks. One common way to achieve this automation -- particularly in Windows environments -- is with PowerShell scripts.
An access control list maintains and organizes users' rights to OS objects, such as a file. But to set ACL folder permissions can be a mind-numbing task, especially when admins must edit multiple folders on a share, or find all the ACL folders that have users and replace those users with groups. This is a common management task Windows admins perform on file shares.
To script away this tedium with PowerShell, Microsoft's native automation and configuration management tool, retrieve existing ACL permissions for the desktop folder with the command below.
This command should return an output that looks similar to the one below.
To see which users have access to the desktop folder, we need the information in the Access property. Run the command below.
We can see in the output below that identities SYSTEM, Administrators and Anthony all have full control of the desktop folder.
Create an ACL folder permissions entry
To add an entry to that list, create a .NET object -- specifically a FileSystemAccessRule. Run the following command to discover which type of object the existing rules are.
This should return an output that looks similar to this one.
With that information, we can look at the various constructors -- the ways in which an object can be created -- for that object type, using the static method on the object class itself in PowerShell. Skip the parenthesis on the end, so the output shows the various definitions with their parameters.
As the output below shows, there are many ways to construct this object. We need to pass the identity, ACL folder level, inheritance, propagation and type to the constructor so that it can create an access rule for the ACL permissions.
Try this approach out by creating a rule that grants the user Dave full control. Run the command below.
The output should look as it does below.
This gives us a rule to add to the ACL.
Add a rule to the ACL folder
To add the rule, , create the ACL object.
Then, use a method to add the entry to the list.
After the rule is added, apply the ACL permissions to the original folder.
To make the code reusable, create a PowerShell function.
Editor's note: This expert answer is in a three-part series on PowerShell automation. Stay tuned for expert answers on event log searches and PATH environment management.
Dig Deeper on Systems automation and orchestration
-
![]()
Deploy WebJEA to empower your users with PowerShell
By: Mike Kanakos
-
![]()
How to copy files from source to destination in PowerShell
By: Anthony Howell
-
![]()
PowerShell Move-Item examples for file, folder management
By: Anthony Howell
-
![]()
Reveal Windows file server permissions with PowerShell's help
By: Anthony Howell
