Share via

Using the Get-Acl Cmdlet

Retrieving the Security Descriptor for an Object

The Get-Acl cmdlet enables you to retrieve the security descriptor (access control list) for a file, a folder, or even a registry key. Note that, in order to view complete information for an object, you should pipe the results of Get-Acl through the Format-List cmdlet. For example, this command retrieves the security descriptor for the folder C:\Scripts, then displays that information as a list:

Get-Acl c:\scripts | Format-List

The resulting display will look something like this:

Path   : Microsoft.Windows PowerShell.Core\FileSystem::C:\scripts
Owner  : FABRIKAM\kenmyer
Group  : FABRIKAM\Domain Users
Access : BUILTIN\Administrators Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         FABRIKAM\kenmyer Allow  FullControl
         CREATOR OWNER Allow  268435456
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  AppendData
         BUILTIN\Users Allow  CreateFiles
Audit  :
Sddl   : O:S-1-5-21-1454471165-1004336348-1606980848-8183G:DUD:(A;OICIID;FA;;;B

Had we called Get-Acl without piping the results through Format-List the resulting display would have looked more like this:

Path                       Owner                      Access
----                       -----                      ------
Microsoft.Windows PowerShell.Co... BUILTIN\Administrators     FABRIKAM\kenmyer Allow ...

Not quite as easy to decipher, to say the least.

Right, we did mention that Get-Acl can return the security descriptor for a registry key, didn’t we? This command returns security information for HKEY_CURRENT_USER\Software\Microsoft\Windows:

Get-Acl HKCU:\Software\Microsoft\Windows

You can also use wildcard characters to retrieve a set of objects. Need to review the security settings for all the .log files in C:\Scripts? Here you go:

Get-Acl c:\scripts\*.log | Format-List