beawolf - Fotolia

How do I manage ACL folder permissions with a PowerShell script?

PowerShell scripts make short work of repetitive Windows tasks, saving admins time, effort and frustration. One simple area admins can manage with scripts is the access control list.

Automation can save IT admins from repetitive and manual operations tasks. One common way to achieve this automation -- particularly in Windows environments -- is with PowerShell scripts.

An access control list maintains and organizes users' rights to OS objects, such as a file. But to set ACL folder permissions can be a mind-numbing task, especially when admins must edit multiple folders on a share, or find all the ACL folders that have users and replace those users with groups. This is a common management task Windows admins perform on file shares.

To script away this tedium with PowerShell, Microsoft's native automation and configuration management tool, retrieve existing ACL permissions for the desktop folder with the command below.

retrieve existing ACL permissions command

This command should return an output that looks similar to the one below.

command output

To see which users have access to the desktop folder, we need the information in the Access property. Run the command below.

Access property command

We can see in the output below that identities SYSTEM, Administrators and Anthony all have full control of the desktop folder.

Access property output

Create an ACL folder permissions entry

To add an entry to that list, create a .NET object -- specifically a FileSystemAccessRule. Run the following command to discover which type of object the existing rules are.

object command

This should return an output that looks similar to this one.

object command output

With that information, we can look at the various constructors -- the ways in which an object can be created -- for that object type, using the static method on the object class itself in PowerShell. Skip the parenthesis on the end, so the output shows the various definitions with their parameters.


As the output below shows, there are many ways to construct this object. We need to pass the identity, ACL folder level, inheritance, propagation and type to the constructor so that it can create an access rule for the ACL permissions.

 method output

Try this approach out by creating a rule that grants the user Dave full control. Run the command below.

rule command

The output should look as it does below.

rule command output

This gives us a rule to add to the ACL.

Add a rule to the ACL folder

To add the rule, , create the ACL object.

create the ACL object

Then, use a method to add the entry to the list.

add  entry to list

After the rule is added, apply the ACL permissions to the original folder.

apply the  ACL permissions

To make the code reusable, create a PowerShell function.

create a PowerShell function

Editor's note: This expert answer is in a three-part series on PowerShell automation. Stay tuned for expert answers on event log searches and PATH environment management.

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center