ACL on a folder

This topic contains 5 replies, has 5 voices, and was last updated by  Lucien Janssens 3 years, 2 months ago.

  • Author
  • #21528

    Lucien Janssens

    Hello PowerShell gurus,

    I'm a newb on Powershell, looking for a function/script that accomplishes the following:

    Input is a folder or UNC path (get-childitem)
    The output should look like this (csv format, I need to import it in Excel or Access later on), i.e. an entry for each user/group that has access to the folder.

    "d:\MyPath\MyFolder","NT AUTHORITY\SYSTEM","Allow","Full Control"
    "d:\MyPath\MyFolder","ACME\Domain Admins","Allow","Full Control"

    I think it would require to rewrite the scriptproperty 'AccessToString' from the get-ACL cmdlet.
    Anyone know how to do this (or has another neat solution) ?


  • #21529

    Matt McNabb

    Here's a simple example:

    $Path = 'D:\MyPath\MyFolder'
    $CSVPath = 'C:\MyPath\Acl.csv'
    $ACL = Get-Acl -Path $Path 
    foreach ($Entry in $ACL.Access)
            Path = $Path
            IdentityReference = $Entry.IdentityReference
            AccessControlType = $Entry.AccessControlType
            FileSystemRights  = $Entry.FileSystemRights
        } | Export-Csv -Path $CSVPath -NoTypeInformation
  • #21530

    Will Anderson

    If you want to make a reuseable function though, you can take Matt's excellent example a little further:

    Function Get-FolderACL{[cmdletbinding[]]
            $Directory = Get-Acl -Path $Path
            ForEach[$Dir in $Directory.Access]{
                    Path = $Path
                    Group = $Dir.IdentityReference
                    AccessType = $Dir.AccessControlType
                    Rights = $Dir.FileSystemRights

    Jeff Hicks just wrote an excellent article on building advanced functions. I highly recommend you give it a read:

  • #21541

    Brett Osiewicz

    You should also check Raimund Andrée's "File System Security PowerShell Module 3.2.2 " on Microsoft's website.

    He updated it about two weeks ago. I had built a number of functions similar to yours, but will now use this module instead.

  • #21567


    What if we need not only the .identityreference property but also all members in case it is a group? How do get this out? Can we somehow incorporate the below in the get-acl code?

    {Get-CimInstance -ClassName Win32_Group -Filter "Name = 'Adminis'" Get-CimAssociatedInstance -InputObject $group -ResultClassName Win32_Group | select -ExpandProperty Caption}

    Also when to use [PSCustomObject]@{} rather than Select-Object @{}?

  • #21653

    Lucien Janssens

    Thank you all for your input; it has been very helpful.
    I'm definitely going to look into the Filesystem security module, because it seems to address some issues I came accross too (e.g. long pathnames)

You must be logged in to reply to this topic.