Wahmans Powershell Blog

Get-Acl

Understanding the Power of Get-Acl in PowerShell

Welcome back to Wahmans PowerShell blog! Today we’re diving into one of those cmdlets that every PowerShell user should be familiar with: Get-Acl. If you’re wondering what Get-Acl does, let me quote Microsoft:

Get-Acl gets the security descriptor for a resource, such as a file or registry key.

In plain words, this cmdlet lets you retrieve the permissions (Access Control List) applied to a file system object—like a folder, file, or registry key. It’s incredibly useful for auditing, managing access or just learning how permissions are structured on your system.

Getting Started with Get-Acl: Examples from Beginner to Advanced

1. Beginner: Get the permissions of a single file

This is the most basic use of Get-Acl. Let’s say you want to know who has access to a specific file:

Get-Acl -Path "C:\Users\Public\Documents\example.txt"

This will output the access control list for example.txt, including the owner, group, and authorization rules.

2. Intermediate: Show permissions for all files in a folder

Want to audit a whole folder? Use Get-ChildItem and pipe it to Get-Acl:

Get-ChildItem -Path "C:\Data" | ForEach-Object {
    $acl = Get-Acl -Path $_.FullName
    [PSCustomObject]@{
        FileName = $_.Name
        Path = $_.FullName
        Owner = $acl.Owner
    }
}

This script lists all items in C:\Data, gets their ACLs, and outputs the filename, path, and owner. You may also extend it to show access rules.

3. Advanced: Export permissions to a CSV file

This example shows how to gather the ACLs of all files in a directory and export them to a CSV report:

$results = Get-ChildItem -Path "C:\Projects" -Recurse | ForEach-Object {
    $acl = Get-Acl -Path $_.FullName
    foreach ($access in $acl.Access) {
        [PSCustomObject]@{
            FileName = $_.Name
            FullPath = $_.FullName
            IdentityReference = $access.IdentityReference
            AccessControlType = $access.AccessControlType
            FileSystemRights = $access.FileSystemRights
        }
    }
}

$results | Export-Csv -Path "C:\Reports\FilePermissions.csv" -NoTypeInformation

Now you have a human-readable CSV file with detailed permission information for all files under C:\Projects.

4. Expert: Compare ACLs between two directories

If you’re migrating data or troubleshooting permission issues, you might want to compare ACLs between two structures:

$folder1 = Get-Acl -Path "C:\OldData"
$folder2 = Get-Acl -Path "D:\NewData"

if ($folder1.Access -ne $folder2.Access) {
    Write-Host "Permissions differ between OldData and NewData" -ForegroundColor Red
} else {
    Write-Host "Permissions match!" -ForegroundColor Green
}

This comparison checks if the access rules match between two folders. You could expand this to recurse through folder trees and report discrepancies.

Wrapping Up

Get-Acl is a versatile cmdlet, ideal for beginners learning about security descriptors and essential for professionals performing access audits or scripting permission changes. Combine it with other cmdlets like Set-Acl, Export-Csv, and ForEach-Object to unlock its full potential.

Happy scripting, and I will see you in the next post!

Leave a Reply

Your email address will not be published. Required fields are marked *