{"id":52473,"date":"2009-09-14T03:01:00","date_gmt":"2009-09-14T03:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/09\/14\/hey-scripting-guy-can-i-determine-a-folders-access-rights-and-who-has-them\/"},"modified":"2009-09-14T03:01:00","modified_gmt":"2009-09-14T03:01:00","slug":"hey-scripting-guy-can-i-determine-a-folders-access-rights-and-who-has-them","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-can-i-determine-a-folders-access-rights-and-who-has-them\/","title":{"rendered":"Hey, Scripting Guy! Can I Determine a Folder’s Access Rights and Who Has Them?"},"content":{"rendered":"

<\/p>\n\n\n\n
Share this post: <\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/span> <\/p>\n

\"Hey,Hey, Scripting Guy! I am trying to get a handle around the security of a folder on my computer. I need to be able to figure out a way to determine who has access and what those access rights are. I guess I could use the Icacls utility<\/font><\/a>, but I prefer to use something that is native to Windows PowerShell so that I can work with the objects that are returned and not have to waste a bunch of time parsing text. <\/p>\n<\/p>\n

— BH <\/p>\n<\/p>\n

\"Hey,Hello BH, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. If you have friended me on Facebook, you know that today is my birthday. I am at the point where having a birthday is not necessarily a cause for celebration\u2014the Scripting Wife has not made me a cake and ice cream or invited my friends over for a party. At least not in the last couple of years. But still, I would rather have a birthday than not have a birthday so I am in a good mood. In addition, with the Scripting Wife, one never knows what she may have up her sleeve for the occasion. <\/p>\n<\/p>\n

Back to your question. If you do not want to use the Icacls utility because it is not native to Windows PowerShell, the best tool to use to work with security on a folder is the Windows PowerShell Get-Acl<\/b> cmdlet. When you use the Get-Acl<\/b> cmdlet and give it the path to a folder, it returns an instance of the System.Security.AccessControl.DirectorySecurity<\/b> object, which is documented on MSDN<\/font><\/a> and is used to represent the access control and the audit security for a directory. It specifies the access rights for a directory and how access attempts are audited. The class represents each of the access and audit rights as a set of rules. The access rules are presented as instances of the System.Security.AccessControl.FileSystemAccessRule<\/font><\/a> object and the audit rules are presented as instances of the System.Security.AccessControl.FileSystemAuditRule<\/font><\/a> class.  <\/span> <\/p>\n<\/p>\n

To retrieve the DirectorySecurity<\/b> object using the Get-Acl<\/b> cmdlet, you specify the path to the folder via the path<\/b> parameter. This is seen here: <\/b><\/p>\n<\/p>\n<\/p>\n

PS C:\\> Get-Acl -Path C:\\fso <\/p>\n

    <\/span>Directory: C:\\ <\/p>\n

Path                       <\/span>Owner                      <\/span>Access
—-                       <\/span>—–                      <\/span>——
fso                        <\/span>BUILTIN\\Administrators     <\/span>NWTRADERS\\Administrato… <\/p>\n

PS C:\\> <\/font><\/span> <\/p>\n<\/p>\n

You can see from the output that the Owner<\/b> property is returned. The Access<\/b> property is truncated and does not display all of the users who have access to the folder. You might decide to pipe the results to the Select-Object<\/b> cmdlet and choose the Access<\/b> property. When you use this technique, as seen here, the Access<\/b> control information is still truncated: <\/p>\n<\/p>\n

PS C:\\> Get-Acl -Path C:\\fso | select-object access <\/p>\n

Access
——
{System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessC… <\/p>\n

PS C:\\> <\/font><\/span> <\/p>\n<\/p>\n

If you pipe the result of the Select-Object<\/b> cmdlet to the Format-List<\/b> cmdlet and choose all of the properties, you will finally be able to see all of the information returned from the Access<\/b> property. As seen here, however, the results are not what might be expected: <\/p>\n<\/p>\n

PS C:\\> Get-Acl -Path C:\\fso | select-object access | Format-List * <\/p>\n

Access : {System.Security.AccessControl.FileSystemAccessRule, System.Security.A
    <\/span>     <\/span>ccessControl.FileSystemAccessRule, System.Security.AccessControl.FileS
         <\/span>ystemAccessRule, System.Security.AccessControl.FileSystemAccessRule…
         <\/span>} <\/p>\n

PS C:\\> <\/font><\/span> <\/p>\n<\/p>\n

To retrieve a list of the users who have access to the folder, you need to use the accessToString<\/b> property because the access rights to the folder is stored as a series of FileSystemAccessRules<\/b>. After you have piped the results to the Format-List<\/b> cmdlet, you no longer have a DirectorySecurity<\/b> object. You have a formatted textual representation of the underlying object. This is seen here: <\/p>\n<\/p>\n

PS C:\\> Get-Acl -Path C:\\fso | Format-List AccessToString <\/p>\n

AccessToString : NWTRADERS\\Administrator Allow  <\/span>FullControl
                 <\/span>BUILTIN\\Administrators Allow  <\/span>FullControl
                 <\/span>BUILTIN\\Administrators Allow  <\/span>268435456
                 <\/span>NT AUTHORITY\\SYSTEM Allow  <\/span>FullControl
                 <\/span>NT AUTHORITY\\SYSTEM Allow  <\/span>268435456
                 <\/span>BUILTIN\\Users Allow  <\/span>ReadAndExecute, Synchronize
                 <\/span>NT AUTHORITY\\Authenticated Users Allow  <\/span>Modify, Synchronize
                 <\/span>NT AUTHORITY\\Authenticated Users Allow  <\/span>-536805376 <\/font><\/span> <\/p>\n<\/p>\n

If you wish to write to a text file the list of people who have access to the folder, the above formatted list is quite acceptable. To write the users who have access to a text file, you can use the Out-File<\/b> cmdlet as seen here: <\/p>\n<\/p>\n

PS C:\\> Get-Acl -Path C:\\fso | Format-List accessToString |
Out-File -FilePath c:\\fso\\fsoAcl.txt -Append
PS C:\\> <\/font><\/span> <\/p>\n<\/p>\n

When the above command is run, the following text file is seen: <\/p>\n<\/p>\n

\n

\"Image <\/p>\n<\/p>\n

If you prefer to work with the folder in a more direct manner, you can use the Get-Acl<\/b> cmdlet to retrieve the DirectorySecurity<\/b> object, and you can store it in a variable. This is seen here: <\/p>\n<\/p>\n

PS C:\\> $acl = Get-Acl -Path C:\\fso
PS C:\\> $acl <\/p>\n

    <\/span>Directory: C:\\ <\/p>\n

Path                       <\/span>Owner                      <\/span>Access
—-                       <\/span>—–                      <\/span>——
fso                        <\/span>BUILTIN\\Administrators     <\/span>NWTRADERS\\Administrato… <\/p>\n

PS C:\\> <\/font><\/span> <\/p>\n<\/p>\n

After you have the DirectorySecurity<\/b> object stored in a variable, you can work directly with the underlying objects. This is shown here: <\/p>\n<\/p>\n

PS C:\\> $acl = Get-Acl -Path C:\\fso
PS C:\\> $acl <\/p>\n

    <\/span>Directory: C:\\ <\/p>\n

Path                       <\/span>Owner                      <\/span>Access
—-                       <\/span>—–                      <\/span>——
fso                        <\/span>BUILTIN\\Administrators     <\/span>NWTRADERS\\Administrato… <\/p>\n

<\/span><\/span><\/font> <\/p>\n<\/p>\n

To examine the methods and properties that are available from the object we have stored in the $acl <\/b>variable, we use the Get-Member<\/b> cmdlet. This is seen here: <\/p>\n<\/p>\n

PS C:\\> $acl | Get-Member <\/p>\n

   <\/span>TypeName: System.Security.AccessControl.DirectorySecurity <\/p>\n

Name                            <\/span>MemberType     <\/span>Definition
—-                            <\/span>———-     <\/span>———-
Access                          <\/span>CodeProperty   <\/span>System.Security.AccessControl…
Group                           <\/span>CodeProperty   <\/span>System.String Group{get=GetGr…
Owner                           <\/span>CodeProperty   <\/span>System.String Owner{get=GetOw…
Path                   <\/span>         <\/span>CodeProperty   <\/span>System.String Path{get=GetPath;}
Sddl                            <\/span>CodeProperty   <\/span>System.String Sddl{get=GetSddl;}
AccessRuleFactory               <\/span>Method         <\/span>System.Security.AccessControl…
AddAccessRule                   <\/span>Method         <\/span>System.Void AddAccessRule(Sys…
AddAuditRule                    <\/span>Method         <\/span>System.Void AddAuditRule(Syst…
AuditRuleFactory                <\/span>Method         <\/span>System.Security.AccessControl…
Equals                          <\/span>Method         <\/span>bool Equals(System.Object obj)
GetAccessRules                  <\/span>Method         <\/span>System.Security.AccessControl…
GetAuditRules                   <\/span>Method         <\/span>System.Security.AccessControl…
GetGroup                        <\/span>Method         <\/span>System.Security.Principal.Ide…
GetHashCode                     <\/span>Method         <\/span>int GetHashCode()
GetOwner                        <\/span>Method         <\/span>System.Security.Principal.Ide…
GetSecurityDescriptorBinaryForm Method         <\/span>byte[] GetSecurityDescriptorB…
GetSecurityDescriptorSddlForm   <\/span>Method         <\/span>string GetSecurityDescriptorS…
GetType                         <\/span>Method         <\/span>type GetType()
ModifyAccessRule                <\/span>Method         <\/span>bool ModifyAccessRule(System….
ModifyAuditRule                 <\/span>Method         <\/span>bool ModifyAuditRule(System.S…
PurgeAccessRules                <\/span>Method         <\/span>System.Void PurgeAccessRules(…
PurgeAuditRules                 <\/span>Method         <\/span>System.Void PurgeAuditRules(S…
RemoveAccessRule                <\/span>Method         <\/span>bool RemoveAccessRule(System….
RemoveAccessRuleAll             <\/span>Method         <\/span>System.Void RemoveAccessRuleA…
RemoveAccessRuleSpecific        <\/span>Method         <\/span>System.Void RemoveAccessRuleS…
RemoveAuditRule                 <\/span>Method         <\/span>bool RemoveAuditRule(System.S…
RemoveAuditRuleAll              <\/span>Method         <\/span>System.Void RemoveAuditRuleAl…
RemoveAuditRuleSpecific         <\/span>Method         <\/span>System.Void RemoveAuditRuleSp…
ResetAccessRule                 <\/span>Method         <\/span>System.Void ResetAccessRule(S…
SetAccessRule             <\/span>      <\/span>Method         <\/span>System.Void SetAccessRule(Sys…
SetAccessRuleProtection         <\/span>Method         <\/span>System.Void SetAccessRuleProt…
SetAuditRule                    <\/span>Method         <\/span>System.Void SetAuditRule(Syst…
SetAuditRuleProtection          <\/span>Method    <\/span>     <\/span>System.Void SetAuditRuleProte…
SetGroup                        <\/span>Method         <\/span>System.Void SetGroup(System.S…
SetOwner                        <\/span>Method         <\/span>System.Void SetOwner(System.S…
SetSecurityDescriptorBinaryForm Method         <\/span>System.Void SetSecurityDescri…
SetSecurityDescriptorSddlForm   <\/span>Method         <\/span>System.Void SetSecurityDescri…
ToString                        <\/span>Method         <\/span>string ToString()
PSChildName                     <\/span>NoteProperty   <\/span>System.String PSChildName=fso
PSDrive     <\/span>                    <\/span>NoteProperty   <\/span>System.Management.Automation….
PSParentPath                    <\/span>NoteProperty   <\/span>System.String PSParentPath=Mi…
PSPath                          <\/span>NoteProperty   <\/span>System.String PSPath=Microsof…
PSProvider                  <\/span>    <\/span>NoteProperty   <\/span>System.Management.Automation….
AccessRightType                 <\/span>Property       <\/span>System.Type AccessRightType {…
AccessRuleType                  <\/span>Property       <\/span>System.Type AccessRuleType {g…
AreAccessRulesCanonical         <\/span>Property    <\/span>   <\/span>System.Boolean AreAccessRules…
AreAccessRulesProtected         <\/span>Property       <\/span>System.Boolean AreAccessRules…
AreAuditRulesCanonical          <\/span>Property       <\/span>System.Boolean AreAuditRulesC…
AreAuditRulesProtected          <\/span>Property       <\/span>System.Boolean AreAuditRulesP…
AuditRuleType                   <\/span>Property       <\/span>System.Type AuditRuleType {get;}
AccessToString                  <\/span>ScriptProperty System.Object AccessToString …
AuditToString                   <\/span>ScriptProperty System.Object AuditToString {… <\/font><\/span> <\/p>\n<\/p>\n

The Access <\/b>property is a codeproperty<\/b>. This means it was added by the Windows PowerShell team. To see what you can do with the Access<\/b> property, pipe it to the Get-Member<\/b> cmdlet. This is seen here: <\/p>\n<\/p>\n

PS C:\\> $acl.Access | Get-Member <\/p>\n

   <\/span>TypeName: System.Security.AccessControl.FileSystemAccessRule <\/p>\n

Name              <\/span>MemberType Definition
—-              <\/span>———- ———-
Equals            <\/span>Method     <\/span>bool Equals(System.Object obj)
GetHashCode       <\/span>Method     <\/span>int GetHashCode()
GetType           <\/span>Method     <\/span>type GetType()
ToString          <\/span>Method     <\/span>string ToString()
AccessControlType Property   <\/span>System.Security.AccessControl.AccessControlType…
FileSystemRights  <\/span>Property   <\/span>System.Security.AccessControl.FileSystemRights …
IdentityReference Property  <\/span> <\/span>System.Security.Principal.IdentityReference Ide…
InheritanceFlags  <\/span>Property   <\/span>System.Security.AccessControl.InheritanceFlags …
IsInherited       <\/span>Property   <\/span>System.Boolean IsInherited {get;}
PropagationFlags  <\/span>Property   <\/span>System.Security.AccessControl.PropagationFlags … <\/p>\n

PS C:\\> <\/font><\/span> <\/p>\n<\/p>\n

The Access<\/b> property returns an instance of the System.Security.AccessControl.FileSystemAccessRule<\/font><\/a> .NET Framework class. When you look at the Access<\/b> property, it displays the following information: <\/p>\n<\/p>\n

PS C:\\> $acl.Access <\/p>\n

FileSystemRights  <\/span>: FullControl
AccessControlType : Allow
IdentityReference : NWTRADERS\\Administrator
IsInherited       <\/span>: False
InheritanceFlags  <\/span>: ContainerInherit, ObjectInherit
PropagationFlags  <\/span>: None <\/p>\n

FileSystemRights  <\/span>: FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\\Administrators
IsInherited       <\/span>: True
InheritanceFlags  <\/span>: None
PropagationFlags  <\/span>: None <\/p>\n

FileSystemRights  <\/span>: 268435456
AccessControlType : Allow
IdentityReference : BUILTIN\\Administrators
IsInherited       <\/span>: True
InheritanceFlags  <\/span>: ContainerInherit, ObjectInherit
PropagationFlags  <\/span>: InheritOnly <\/p>\n

FileSystemRights  <\/span>: FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\\SYSTEM
IsInherited       <\/span>: True
InheritanceFlags  <\/span>: None
PropagationFlags  <\/span>: None <\/p>\n

FileSystemRights  <\/span>: 268435456
AccessControlType : Allow
IdentityReference : NT AUTHORITY\\SYSTEM
IsInherited       <\/span>: True
InheritanceFlags  <\/span>: ContainerInherit, ObjectInherit
PropagationFlags  <\/span>: InheritOnly <\/p>\n

FileSystemRights  <\/span>: ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\\Users
IsInherited       <\/span>: True
InheritanceFlags  <\/span>: ContainerInherit, ObjectInherit
PropagationFlags  <\/span>: None <\/p>\n

FileSystemRights  <\/span>: Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\\Authenticated Users
IsInherited       <\/span>: True
InheritanceFlags  <\/span>: None
PropagationFlags  <\/span>: None <\/p>\n

FileSystemRights  <\/span>: -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\\Authenticated Users
IsInherited       <\/span>: True
InheritanceFlags  <\/span>: ContainerInherit, ObjectInherit
PropagationFlags  <\/span>: InheritOnly <\/font><\/span> <\/p>\n<\/p>\n

\n

 <\/p>\n<\/p>\n

Because the System.Security.AccessControl.FileSystemAuditRule<\/b> class is returned as a collection, you can index directly into it. This is seen here: <\/p>\n<\/p>\n

PS C:\\> $acl.Access[0] <\/p>\n

FileSystemRights  <\/span>: FullControl
AccessControlType : Allow
IdentityReference : NWTRADERS\\Administrator
IsInherited       <\/span>: False
InheritanceFlags  <\/span>: ContainerInherit, ObjectInherit
PropagationFlags  <\/span>: None<\/font><\/span> <\/p>\n

<\/span><\/p>\n<\/p>\n<\/p>\n

The IdentityReference<\/b> property returns an instance of System.Security.Principal.NTAccount<\/font><\/a> .NET Framework class. The members of this object are seen here: <\/p>\n<\/p>\n

PS C:\\> $acl.Access[0].identityReference | Get-Member <\/p>\n

   <\/span>TypeName: System.Security.Principal.NTAccount <\/p>\n

Name              <\/span>MemberType Definition
—-              <\/span>———- ———-
Equals            <\/span>Method     <\/span>bool Equals(System.Object o)
GetHashCode       <\/span>Method     <\/span>int GetHashCode()
GetType           <\/span>Method     <\/span>type GetType()
IsValidTargetType Method     <\/span>bool IsValidTargetType(type targetType)
ToString          <\/span>Method     <\/span>string ToString()
Translate         <\/span>Method     <\/span>System.Security.Principal.IdentityReference Tra…
Value             <\/span>Property   <\/span>System.String Value {get;}<\/font><\/span> <\/p>\n

<\/span><\/p>\n<\/p>\n<\/p>\n

The IdentityReference<\/b> property points to a specific user account. You can use that property to return a list of all the users who have access to a folder. When you query the Value<\/b> property, it returns a string. This is seen here: <\/p>\n<\/p>\n

PS C:\\> $acl.Access | ForEach-Object { $_.identityReference.value }
NWTRADERS\\Administrator
BUILTIN\\Administrators
BUILTIN\\Administrators
NT AUTHORITY\\SYSTEM
NT AUTHORITY\\SYSTEM
BUILTIN\\Users
NT AUTHORITY\\Authenticated Users
NT AUTHORITY\\Authenticated Users
PS C:\\> <\/font><\/span> <\/p>\n<\/p>\n

If you wanted to search the list of users for a specific user who has rights, you could pipe the results to the Where-Object<\/b>. This is seen here: <\/p>\n<\/p>\n

PS C:\\> $acl.Access | ForEach-Object { $_.identityReference.value |
Where-Object { $_ -eq ‘nwtraders\\administrator’ }  <\/span>}
NWTRADERS\\Administrator
PS C:\\> <\/font><\/span> <\/p>\n<\/p>\n

Well, BH, this brings us to the end of another Hey, Scripting Guy! post. We hope we have inspired you to fire up Windows PowerShell and start playing around with the Get-Acl<\/b> cmdlet. <\/p>\n<\/p>\n

If you want to know exactly what we will be looking at tomorrow, follow us on Twitter<\/a> or Facebook<\/a>. If you have any questions, send e-mail to us at scripter@microsoft.com<\/a> or post them on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace. <\/p>\n<\/p>\n

\n

 <\/p>\n<\/p>\n

Ed Wilson and Craig Liebendorfer, Scripting Guys <\/span><\/b> <\/p>\n<\/p>\n

<\/span><\/b><\/p>\n","protected":false},"excerpt":{"rendered":"

Share this post: Hey, Scripting Guy! I am trying to get a handle around the security of a folder on my computer. I need to be able to figure out a way to determine who has access and what those access rights are. I guess I could use the Icacls utility, but I prefer to […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[62,3,63,45],"class_list":["post-52473","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-dacls-and-sacls","tag-scripting-guy","tag-security","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Share this post: Hey, Scripting Guy! I am trying to get a handle around the security of a folder on my computer. I need to be able to figure out a way to determine who has access and what those access rights are. I guess I could use the Icacls utility, but I prefer to […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52473","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=52473"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52473\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=52473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=52473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=52473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}