Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Retrieving the Security Descriptor for an Object
The Get-Acl cmdlet enables you to retrieve the security descriptor (access control list) for a file, a folder, or even a registry key. Note that, in order to view complete information for an object, you should pipe the results of Get-Acl through the Format-List cmdlet. For example, this command retrieves the security descriptor for the folder C:\Scripts, then displays that information as a list:
Get-Acl c:\scripts | Format-List
The resulting display will look something like this:
Path : Microsoft.Windows PowerShell.Core\FileSystem::C:\scripts
Owner : FABRIKAM\kenmyer
Group : FABRIKAM\Domain Users
Access : BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
FABRIKAM\kenmyer Allow FullControl
CREATOR OWNER Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow AppendData
BUILTIN\Users Allow CreateFiles
Audit :
Sddl : O:S-1-5-21-1454471165-1004336348-1606980848-8183G:DUD:(A;OICIID;FA;;;B
A)(A;OICIID;FA;;;SY)(A;ID;FA;;;S-1-5-21-1454471165-1004336348-16069808
48-8183)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A
;CIID;DC;;;BU)
Had we called Get-Acl without piping the results through Format-List the resulting display would have looked more like this:
Path Owner Access
---- ----- ------
Microsoft.Windows PowerShell.Co... BUILTIN\Administrators FABRIKAM\kenmyer Allow ...
Not quite as easy to decipher, to say the least.
Right, we did mention that Get-Acl can return the security descriptor for a registry key, didn’t we? This command returns security information for HKEY_CURRENT_USER\Software\Microsoft\Windows:
Get-Acl HKCU:\Software\Microsoft\Windows
You can also use wildcard characters to retrieve a set of objects. Need to review the security settings for all the .log files in C:\Scripts? Here you go:
Get-Acl c:\scripts\*.log | Format-List