top of page

PowerShell | Script to Update Access Control List (ACL)

Windows Access Control Lists (ACLs) are an essential feature for managing permissions and security in the Windows operating system. They provide a detailed mechanism for defining who can access or modify objects, such as files, folders, and registry keys, and what actions they are allowed to perform on these objects. Here’s a detailed overview of Windows ACLs:

​

Components of Windows ACLs

  1. Objects:

    • Files and Folders: Common objects that have ACLs.

    • Registry Keys: Specific keys within the Windows Registry.

    • Other Objects: Includes printers, network shares, and more.

  2. Security Descriptors:

    • Each object that can have permissions assigned to it has a security descriptor.

    • The security descriptor contains the ACL.

  3. ACL Types:

    • DACL (Discretionary Access Control List): Specifies the permissions for users and groups. A DACL controls access to an object. If no DACL is present, the system grants full access to everyone.

    • SACL (System Access Control List): Used for auditing purposes. It specifies which actions by users or groups should be logged.

  4. Access Control Entries (ACEs):

    • An ACL is made up of multiple ACEs.

    • Each ACE defines a user's or group's access rights to an object.

    • ACEs can be allow or deny entries.

  • Appends the ACL to NTFS Permissions on a folder.

  • Leaves inheritance in place.

PowerShell Script Set ACL in NTFS

<#
    .SYNOPSIS
              PowerShell Script to Add User to NTFS ACL
    .DESCRIPTION
            Required -  Set Identiy
            Required -  Set MyDir (Folder Path)
            Creates an ACE and Assigns to Folder
            Assigns Full Control
            Keeps Inheritance
   .Author
           Scott Head
           ScriptsbyScott.com
#>
# //// Create the Access Control Entry \\\\
#Assign User or Group
$identity = 'MyLocalForest\Shead'
#assign Directory to Change Permissions on
$MyDir = "C:\Temp"
#Set the Rights the Account will have
$rights = 'FullControl'
#Set to allow inheritance still
$inheritance = 'ContainerInherit, ObjectInherit'
#Will Propagate to subfolder as long as inheritance isn't broken
$propagation = 'None'
#Set and Allow vs Disallow
$type = 'Allow'
#builds the Access Control Entry
$ACE = New-Object System.Security.AccessControl.FileSystemAccessRule($identity,$rights,$inheritance,$propagation, $type)
#Pulls in the Current Access Control List
$Acl = Get-Acl -Path $MyDir
#Command to Insert access control entry into current access control list
$Acl.AddAccessRule($ACE)
#Sets the Access Control List onto the Dir
Set-Acl -Path $MyDir -AclObject $Acl

Windows PowerShell Output ACL
Windows PowerShell Output ACL
bottom of page