beawolf - Fotolia
How do I manage ACL folder permissions with a PowerShell script?
PowerShell scripts make short work of repetitive Windows tasks, saving admins time, effort and frustration. One simple area admins can manage with scripts is the access control list.
Automation can save IT admins from repetitive and manual operations tasks. One common way to achieve this automation -- particularly in Windows environments -- is with PowerShell scripts.
An access control list maintains and organizes users' rights to OS objects, such as a file. But to set ACL folder permissions can be a mind-numbing task, especially when admins must edit multiple folders on a share, or find all the ACL folders that have users and replace those users with groups. This is a common management task Windows admins perform on file shares.
To script away this tedium with PowerShell, Microsoft's native automation and configuration management tool, retrieve existing ACL permissions for the desktop folder with the command below.
This command should return an output that looks similar to the one below.
To see which users have access to the desktop folder, we need the information in the Access property. Run the command below.
We can see in the output below that identities SYSTEM, Administrators and Anthony all have full control of the desktop folder.
Create an ACL folder permissions entry
To add an entry to that list, create a .NET object -- specifically a FileSystemAccessRule. Run the following command to discover which type of object the existing rules are.
This should return an output that looks similar to this one.
With that information, we can look at the various constructors -- the ways in which an object can be created -- for that object type, using the static method on the object class itself in PowerShell. Skip the parenthesis on the end, so the output shows the various definitions with their parameters.
As the output below shows, there are many ways to construct this object. We need to pass the identity, ACL folder level, inheritance, propagation and type to the constructor so that it can create an access rule for the ACL permissions.
Try this approach out by creating a rule that grants the user Dave full control. Run the command below.
The output should look as it does below.
This gives us a rule to add to the ACL.
Add a rule to the ACL folder
To add the rule, , create the ACL object.
Then, use a method to add the entry to the list.
After the rule is added, apply the ACL permissions to the original folder.
To make the code reusable, create a PowerShell function.
Editor's note: This expert answer is in a three-part series on PowerShell automation. Stay tuned for expert answers on event log searches and PATH environment management.
Dig Deeper on Systems automation and orchestration
Related Q&A from Anthony Howell
Manage the Windows PATH environment variable with PowerShell
Among many other tasks, IT teams can use PowerShell to manage and edit the PATH environment variable. Walk through these basic steps to access, add ... Continue Reading
PowerShell looping examples for the 4 key commands
There are many instances where looping is a valuable tool in your PowerShell script. Knowing how to use them will serve you well. Evaluate these four... Continue Reading
Perform a Windows event log search with PowerShell
Event log monitoring is vital to an IT environment's health and success, but finding a specific event in the flood is challenging. PowerShell enables... Continue Reading