Using Powershell to set file system access control list entries

Posted on by Dean Grant

As part of an automation task I was required to set access control list (ACL) permissions on a folder created. In order to achieve this I create a script block in powershell.

In my example, I had to assign Modify permissions for a security group to a directory. In this example, I will be assigning the security group ‘DOMAIN\Finance_Users’ modify permissions to the directory ‘D:\Budget’.

Firstly, we will need to get the objects that represent the security descriptor , which contains the ACL of the  directory;

$Acl = Get-Acl D:\Budget

Now we need to specify the permissions we require to add to the folder for the particular security group into a variable we will pass to the FileSystemAccessRule class and store in a second variable;

$Permission = (“DOMAIN\Finance_Users”,”Modify”,”ContainerInherit,ObjectInherit”,”None”,”Allow”)
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $Permission

Once the permission has been applied we can change the security descriptor of the directory to match the values specified in the above variables;

$Acl.SetAccessRule($AccessRule)
$Acl | Set-Acl D:\Budget

For more information on the FileSystemAccessRule class, see http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule.aspx

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s