List individual Access Permissions

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Rohn Edwards Rohn Edwards 1 year, 4 months ago.

  • Author
  • #25626
    Profile photo of ertuu85


    I'm trying to find a way to list the folders individual access permissions such as

    Traverse Folders/execute files
    Read attributes

    etc...instead of the output I get from doing a get-acl and getting it's filesystem rights listed as something like: Readandexecute.

    Is it possible to use get-acl to list the actual folder 'advanced security' options?

  • #25673
    Profile photo of Rohn Edwards
    Rohn Edwards

    Get-Acl is giving you the same information as the advanced tab, it's just presented in a different way. You can take the access mask it's returning (the FileSystemRights property) and translate it into anything you want. Here's some quick and dirty proof of concept code that won't show any "combined" rights (it omits FullControl, Modify, ReadAndExecute, etc and shows you all of the basic rights):

    # First, build a dictionary. To use the example code I'm using later, you'll want one
    # with [int] keys and string values. You can build this yourself so that the translated
    # rights show up how you want them, or you can do it using the FSR enumeration like
    # this:
    $Enum = [System.Security.AccessControl.FileSystemRights]
    $RightsDictionary = @{}
    foreach ($RightName in [enum]::GetNames($Enum)) {
        $NumericValue = $RightName -as $Enum -as [int]
        if ($NumericValue -band ($NumericValue -1)) {
            # This means $NumericValue isn't a power of 2, so it's a combination of rights,
            # and I'm assuming you want to ignore that
        if (-not $RightsDictionary.ContainsKey($NumericValue)) {
            $RightsDictionary[$NumericValue] = @()
        $RightsDictionary[$NumericValue] += $RightName
    $SortedRights = $RightsDictionary.GetEnumerator() | sort Name -Descending
    # This is a script block that can be used by Add-Member:
    $DetailedRightsSb = {
        # This depends on $SortedRights
        $RemainingAccessMask = [int] $this.FileSystemRights
        $DetailedRights = @()
        foreach ($RightEntry in $SortedRights) {
            if ($RemainingAccessMask -eq 0) { break }  # Done looking up rights
            if ($RemainingAccessMask -band $RightEntry.Name) {
                $DetailedRights += $RightEntry.Value -join "/"
                $RemainingAccessMask = $RemainingAccessMask -bxor $RightEntry.Name
        if ($RemainingAccessMask -ne 0) { $DetailedRights += "Unknown ($RemainingAccessMask)" }
        $DetailedRights -join ", "
    # Finally, you can use all of that above like this, and each of your ACEs will have an
    # extra 'DetailedRights' property:
    Get-Acl C:\folder | 
        select Path -ExpandProperty Access | 
        Add-Member -MemberType ScriptProperty -Name DetailedRights -Value $DetailedRightsSb -PassThru

    If that does what you're looking for, you might also try this module: If you get version 4.0, you can run this command to do pretty much the same thing as the code above:

    Get-PacAccessControlEntry C:\folder -DisplayOptions ShowDetailedRights

    If you have any questions about the code above, or if you were trying to do something else, please let me know.

  • #25687
    Profile photo of ertuu85

    Hey, thanks! That really looks pretty good and with some slight modification will do just what I needed. Thanks again

  • #25690
    Profile photo of Rohn Edwards
    Rohn Edwards

    You're welcome!

You must be logged in to reply to this topic.