Add-Access Add permission to the ACL of a file or folder. Add Access The function adds an ACE to the item's ACL. The cmdlet needs to have the following information for that: - Path - Account (SamAccountName or SID) - AccessRights (Read, Change, FullControl, etc., ...) - AccessType (Allow or Deny) - (This folder only, Only files, etc.) All the options are explained in the parameter section. The function needs to know the file or folder path. The path can be an argument or be piped into the function as string or FileSystemInfo object (result of Get-ChildItem or Get-Item). Add-Access Account Takes the account that is will be granted permission. This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'. IdentityReference2 AccessRights The right the account shall get. This parameter is of the type System.Security.AccessControl.FileSystemRights so the following values are valid: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize, FullControl FileSystemRights AccessType The type of access you want to give, either Allow or Deny (System.Security.AccessControl.AccessControlType). AccessControlType InheritanceFlags Defines what child items are going to inherit in terms of permissions. If not defined, permissions will be inherited by files and folders (ContainerInherit | ObjectInherit) There are three options: - None: The permission will not be inherited by any child item - ContainerInherit: The permission will be inherited only by directories - ObjectInherit: The permission will be inherited only by files InheritanceFlags PropagationFlags Specifies how Access Control Entries (ACEs) are propagated to child objects. There are three options: - None: Specifies that no propagation flags are set. - NoPropagateInherit: Specifies that the ACE is not propagated to child objects. - InheritOnly: Specifies that the ACE is propagated only to child objects. This includes both container and leaf child objects. PropagationFlags PassThru Returns the item's access control list by using FileSystemAccessRule2. item's ACE. By default, this cmdlet does not generate any output. Path Specifies the path to a resource. Add-Access adds permissions to the items indicated by the path. Wildcards are not permitted. This parameter accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to process multiple files or folders. String[] Add-Access Account Takes the account that is will be granted permission. This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'. IdentityReference2 AccessRights The right the account shall get. This parameter is of the type System.Security.AccessControl.FileSystemRights so the following values are valid: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize, FullControl FileSystemRights AccessType The type of access you want to give, either Allow or Deny (System.Security.AccessControl.AccessControlType). AccessControlType AppliesTo This parameter controls inheritance and propagation like the "Apply To" drop-down box in the Windows Explorer dialog. The allowed options are: - ThisFolderOnly - ThisFolderSubfolderAndFiles - ThisFolderAndSubfolders - ThisFolderAndFiles - SubfolderAndFilesOnly - SubfolersOnly - FilesOnly ApplyTo PassThru Returns the item's access control list by using FileSystemAccessRule2. item's ACE. By default, this cmdlet does not generate any output. Path Specifies the path to a resource. Add-Access adds permissions to the items indicated by the path. Wildcards are not permitted. This parameter accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to process multiple files or folders. String[] Account Takes the account that is will be granted permission. This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'. IdentityReference2 IdentityReference2 AccessRights The right the account shall get. This parameter is of the type System.Security.AccessControl.FileSystemRights so the following values are valid: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize, FullControl FileSystemRights FileSystemRights AccessType The type of access you want to give, either Allow or Deny (System.Security.AccessControl.AccessControlType). AccessControlType AccessControlType InheritanceFlags Defines what child items are going to inherit in terms of permissions. If not defined, permissions will be inherited by files and folders (ContainerInherit | ObjectInherit) There are three options: - None: The permission will not be inherited by any child item - ContainerInherit: The permission will be inherited only by directories - ObjectInherit: The permission will be inherited only by files InheritanceFlags InheritanceFlags PropagationFlags Specifies how Access Control Entries (ACEs) are propagated to child objects. There are three options: - None: Specifies that no propagation flags are set. - NoPropagateInherit: Specifies that the ACE is not propagated to child objects. - InheritOnly: Specifies that the ACE is propagated only to child objects. This includes both container and leaf child objects. PropagationFlags PropagationFlags PassThru Returns the item's access control list by using FileSystemAccessRule2. item's ACE. By default, this cmdlet does not generate any output. SwitchParameter Path Specifies the path to a resource. Add-Access adds permissions to the items indicated by the path. Wildcards are not permitted. This parameter accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to process multiple files or folders. String[] String[] AppliesTo This parameter controls inheritance and propagation like the "Apply To" drop-down box in the Windows Explorer dialog. The allowed options are: - ThisFolderOnly - ThisFolderSubfolderAndFiles - ThisFolderAndSubfolders - ThisFolderAndFiles - SubfolderAndFilesOnly - SubfolersOnly - FilesOnly ApplyTo ApplyTo FileSystemInfo or Strings All parameters accept pipeline input. Null, unless the parameter PassThru is used. Security2.FileSystemAccessRule2 for each ACE on the object, if PassThru is used. -------------- EXAMPLE 1 -------------- C:\PS> C:\PS> PS C:\> dir | Add-Ace -Account forest3\test -AccessRights Read -PassThru Add read permissions to the test user account. Per default the inheritance is set to files and folders. Path: C:\data\Test (Inheritance enabled) Identity Rights Inheritance Type IsInherited -------- ------ ----------- ---- ----------- raandree1\Test (S-1-5-21-30... FullControl ContainerInherit,... Allow False -------------- EXAMPLE 2 -------------- C:\PS> C:\PS> PS C:\data> dir | Add-Ace -Account raandree1\test -AccessRights Read -AppliesTo ThisFolderOnly -PassThru Adds read access to the test account to all items the 'dir' command returns without inheriting the access to files or folder below. Path: C:\data\Test (Inheritance enabled) Identity Rights Inheritance Type IsInherited -------- ------ ----------- ---- ----------- raandree1\Test (S-1-5-21-30... Read, Synchronize None Allow False Path: C:\data\File1.txt (Inheritance enabled) Identity Rights Inheritance Type IsInherited -------- ------ ----------- ---- ----------- raandree1\Test (S-1-5-21-30... Read, Synchronize None Allow False http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85 Copy-Access Copy Access Copy-Access Path String DestinationPath String Account IdentityReference2 AccessType AccessControlType PassThru Path String String DestinationPath String String Account IdentityReference2 IdentityReference2 AccessType AccessControlType AccessControlType PassThru SwitchParameter Disable-Inheritance Disable Inheritance Disable-Inheritance PassThru PreserveInheritedAccessRules Path String[] PassThru SwitchParameter PreserveInheritedAccessRules SwitchParameter Path String[] String[] Enable-Inheritance Enable Inheritance Enable-Inheritance PassThru RemoveInheritedAccessRules Path String[] PassThru SwitchParameter RemoveInheritedAccessRules SwitchParameter Path String[] String[] Get-Access Gets all Access Control Entries in the item's Discretionary Access Control List. Get Access The function returns all ACEs defined on the item. You can filter the ACEs using the switches ExcludeExplicit and ExcludeInherited. Whether the item inherits the permissions from its parent is indicated in the output as well. The function needs to know the file or folder path. The path can be an argument or be piped into the function as string or FileSystemInfo object (result of Get-ChildItem or Get-Item). Get-Access Account Takes the account that is used to filter the output. Only ACEs are shown that match the given user account. This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'. IdentityReference2 ExcludeExplicit If set, only inherited ACEs are returned. ExcludeInherited If set, only explicitly non-inherited ACEs are returned. Path Specifies the path to the resource. Get-Access gets the permissions of the items indicated by the path. Wildcards are not permitted. This parameter also accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to get the access rights of multiple files and folders. String[] Account Takes the account that is used to filter the output. Only ACEs are shown that match the given user account. This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'. IdentityReference2 IdentityReference2 ExcludeExplicit If set, only inherited ACEs are returned. SwitchParameter ExcludeInherited If set, only explicitly non-inherited ACEs are returned. SwitchParameter Path Specifies the path to the resource. Get-Access gets the permissions of the items indicated by the path. Wildcards are not permitted. This parameter also accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to get the access rights of multiple files and folders. String[] String[] System.String You can pipe a string that contains a path. Security2.FileSystemAccessRule2 Get-Ace returns objects that represent the item's Access Control Entries. -------------- EXAMPLE 1 -------------- C:\PS> C:\PS> Get-Item c:\ | Get-Access Get all ACEs defined on the root of drive C: Path: C:\ (Inheritance disabled) Identity Rights Inheritance Type IsInherited -------- ------ ----------- ---- ----------- NT AUTHORITY\Authenticated ... AppendData None Allow False NT AUTHORITY\Authenticated ... -536805376 ContainerIn... Allow False NT AUTHORITY\SYSTEM (S-1-5-18) FullControl None Allow False NT AUTHORITY\SYSTEM (S-1-5-18) 268435456 ContainerIn... Allow False BUILTIN\Administrators (S-1... 268435456 ContainerIn... Allow False BUILTIN\Administrators (S-1... FullControl None Allow False BUILTIN\Users (S-1-5-32-545) ReadAndExec... ContainerIn... Allow False -------------- EXAMPLE 2 -------------- C:\PS> C:\PS> PS C:\> dir | Where-Object { $_.PSIsContainer } | Get-Ace -ExcludeInherited This command returns only explicitly set ACEs on all folders. -------------- EXMAPLE 3 -------------- C:\PS> C:\PS> PS C:\> dir | Get-Access -Account Builtin\Users This command returns all Access Control Entries whose account match 'Builtin\Users'. Path: C:\Users\raandree\Desktop\ADRAP.docx (Inheritance disabled) Account Access Rights Applies to Type IsInherited ------- ------------- ---------- ---- ----------- BUILTIN\Users (S-1-5-32-545) Modify, Synch... ThisFolderOnly Allow False http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85 Get-EffectiveAccess Get EffectiveAccess Get-EffectiveAccess Account IdentityReference2 Path String[] Account IdentityReference2 IdentityReference2 Path String[] String[] Get-Inheritance Get Inheritance Get-Inheritance Path String[] Path String[] String[] Get-OrphanedAccess Get OrphanedAccess Get-OrphanedAccess Account IdentityReference2 ExcludeExplicit ExcludeInherited Path String[] Account IdentityReference2 IdentityReference2 ExcludeExplicit SwitchParameter ExcludeInherited SwitchParameter Path String[] String[] Get-Owner Get Owner Get-Owner Path String[] Path String[] String[] Get-SimpleAccess Get SimpleAccess Get-SimpleAccess IncludeRootFolder Account IdentityReference2 ExcludeExplicit ExcludeInherited Path String[] IncludeRootFolder SwitchParameter Account IdentityReference2 IdentityReference2 ExcludeExplicit SwitchParameter ExcludeInherited SwitchParameter Path String[] String[] Get-SimpleEffectiveAccess Get SimpleEffectiveAccess Get-SimpleEffectiveAccess IncludeRootFolder Account IdentityReference2 Path String[] IncludeRootFolder SwitchParameter Account IdentityReference2 IdentityReference2 Path String[] String[] Remove-Access Remove Access Remove-Access Account IdentityReference2 AccessRights FileSystemRights AccessType AccessControlType InheritanceFlags InheritanceFlags PropagationFlags PropagationFlags PassThru Path String[] Remove-Access Account IdentityReference2 AccessRights FileSystemRights AccessType AccessControlType AppliesTo ApplyTo PassThru Path String[] Account IdentityReference2 IdentityReference2 AccessRights FileSystemRights FileSystemRights AccessType AccessControlType AccessControlType InheritanceFlags InheritanceFlags InheritanceFlags PropagationFlags PropagationFlags PropagationFlags PassThru SwitchParameter Path String[] String[] AppliesTo ApplyTo ApplyTo Set-Owner Set Owner Set-Owner Account IdentityReference2 PassThru Recurse Path String[] Account IdentityReference2 IdentityReference2 PassThru SwitchParameter Recurse SwitchParameter Path String[] String[] Show-SimpleAccess Show SimpleAccess Show-SimpleAccess IncludeRootFolder Account IdentityReference2 ExcludeExplicit ExcludeInherited Path String[] IncludeRootFolder SwitchParameter Account IdentityReference2 IdentityReference2 ExcludeExplicit SwitchParameter ExcludeInherited SwitchParameter Path String[] String[] Show-SimpleEffectiveAccess Show SimpleEffectiveAccess Show-SimpleEffectiveAccess IncludeRootFolder Account IdentityReference2 Path String[] IncludeRootFolder SwitchParameter Account IdentityReference2 IdentityReference2 Path String[] String[]