Add-Access
Add permission to the ACL of a file or folder.
Add
Access
The function adds an ACE to the item's ACL. The cmdlet needs to have the following information for that:
- Path
- Account (SamAccountName or SID)
- AccessRights (Read, Change, FullControl, etc., ...)
- AccessType (Allow or Deny)
-
(This folder only, Only files, etc.)
All the options are explained in the parameter section.
The function needs to know the file or folder path. The path can be an argument or be piped into the function as string or FileSystemInfo object (result of Get-ChildItem or Get-Item).
Add-Access
Account
Takes the account that is will be granted permission. This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'.
IdentityReference2
AccessRights
The right the account shall get. This parameter is of the type System.Security.AccessControl.FileSystemRights so the following values are valid: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize, FullControl
FileSystemRights
AccessType
The type of access you want to give, either Allow or Deny (System.Security.AccessControl.AccessControlType).
AccessControlType
InheritanceFlags
Defines what child items are going to inherit in terms of permissions. If not defined, permissions will be inherited by files and folders (ContainerInherit | ObjectInherit)
There are three options:
- None: The permission will not be inherited by any child item
- ContainerInherit: The permission will be inherited only by directories
- ObjectInherit: The permission will be inherited only by files
InheritanceFlags
PropagationFlags
Specifies how Access Control Entries (ACEs) are propagated to child objects.
There are three options:
- None: Specifies that no propagation flags are set.
- NoPropagateInherit: Specifies that the ACE is not propagated to child objects.
- InheritOnly: Specifies that the ACE is propagated only to child objects. This includes both container and leaf child objects.
PropagationFlags
PassThru
Returns the item's access control list by using FileSystemAccessRule2. item's ACE. By default, this cmdlet does not generate any output.
Path
Specifies the path to a resource. Add-Access adds permissions to the items indicated by the path. Wildcards are not permitted. This parameter accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to process multiple files or folders.
String[]
Add-Access
Account
Takes the account that is will be granted permission. This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'.
IdentityReference2
AccessRights
The right the account shall get. This parameter is of the type System.Security.AccessControl.FileSystemRights so the following values are valid: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize, FullControl
FileSystemRights
AccessType
The type of access you want to give, either Allow or Deny (System.Security.AccessControl.AccessControlType).
AccessControlType
AppliesTo
This parameter controls inheritance and propagation like the "Apply To" drop-down box in the Windows Explorer dialog. The allowed options are:
- ThisFolderOnly
- ThisFolderSubfolderAndFiles
- ThisFolderAndSubfolders
- ThisFolderAndFiles
- SubfolderAndFilesOnly
- SubfolersOnly
- FilesOnly
ApplyTo
PassThru
Returns the item's access control list by using FileSystemAccessRule2. item's ACE. By default, this cmdlet does not generate any output.
Path
Specifies the path to a resource. Add-Access adds permissions to the items indicated by the path. Wildcards are not permitted. This parameter accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to process multiple files or folders.
String[]
Account
Takes the account that is will be granted permission. This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'.
IdentityReference2
IdentityReference2
AccessRights
The right the account shall get. This parameter is of the type System.Security.AccessControl.FileSystemRights so the following values are valid: ListDirectory, ReadData, WriteData, CreateFiles, CreateDirectories, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, Traverse, ExecuteFile,DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize, FullControl
FileSystemRights
FileSystemRights
AccessType
The type of access you want to give, either Allow or Deny (System.Security.AccessControl.AccessControlType).
AccessControlType
AccessControlType
InheritanceFlags
Defines what child items are going to inherit in terms of permissions. If not defined, permissions will be inherited by files and folders (ContainerInherit | ObjectInherit)
There are three options:
- None: The permission will not be inherited by any child item
- ContainerInherit: The permission will be inherited only by directories
- ObjectInherit: The permission will be inherited only by files
InheritanceFlags
InheritanceFlags
PropagationFlags
Specifies how Access Control Entries (ACEs) are propagated to child objects.
There are three options:
- None: Specifies that no propagation flags are set.
- NoPropagateInherit: Specifies that the ACE is not propagated to child objects.
- InheritOnly: Specifies that the ACE is propagated only to child objects. This includes both container and leaf child objects.
PropagationFlags
PropagationFlags
PassThru
Returns the item's access control list by using FileSystemAccessRule2. item's ACE. By default, this cmdlet does not generate any output.
SwitchParameter
Path
Specifies the path to a resource. Add-Access adds permissions to the items indicated by the path. Wildcards are not permitted. This parameter accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to process multiple files or folders.
String[]
String[]
AppliesTo
This parameter controls inheritance and propagation like the "Apply To" drop-down box in the Windows Explorer dialog. The allowed options are:
- ThisFolderOnly
- ThisFolderSubfolderAndFiles
- ThisFolderAndSubfolders
- ThisFolderAndFiles
- SubfolderAndFilesOnly
- SubfolersOnly
- FilesOnly
ApplyTo
ApplyTo
FileSystemInfo or Strings
All parameters accept pipeline input.
Null, unless the parameter PassThru is used.
Security2.FileSystemAccessRule2 for each ACE on the object, if PassThru is used.
-------------- EXAMPLE 1 --------------
C:\PS>
C:\PS>
PS C:\> dir | Add-Ace -Account forest3\test -AccessRights Read -PassThru
Add read permissions to the test user account. Per default the inheritance is set to files and folders.
Path: C:\data\Test (Inheritance enabled)
Identity Rights Inheritance Type IsInherited
-------- ------ ----------- ---- -----------
raandree1\Test (S-1-5-21-30... FullControl ContainerInherit,... Allow False
-------------- EXAMPLE 2 --------------
C:\PS>
C:\PS>
PS C:\data> dir | Add-Ace -Account raandree1\test -AccessRights Read -AppliesTo ThisFolderOnly -PassThru
Adds read access to the test account to all items the 'dir' command returns without inheriting the access to files or folder below.
Path: C:\data\Test (Inheritance enabled)
Identity Rights Inheritance Type IsInherited
-------- ------ ----------- ---- -----------
raandree1\Test (S-1-5-21-30... Read, Synchronize None Allow False
Path: C:\data\File1.txt (Inheritance enabled)
Identity Rights Inheritance Type IsInherited
-------- ------ ----------- ---- -----------
raandree1\Test (S-1-5-21-30... Read, Synchronize None Allow False
http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85
Copy-Access
Copy
Access
Copy-Access
Path
String
DestinationPath
String
Account
IdentityReference2
AccessType
AccessControlType
PassThru
Path
String
String
DestinationPath
String
String
Account
IdentityReference2
IdentityReference2
AccessType
AccessControlType
AccessControlType
PassThru
SwitchParameter
Disable-Inheritance
Disable
Inheritance
Disable-Inheritance
PassThru
PreserveInheritedAccessRules
Path
String[]
PassThru
SwitchParameter
PreserveInheritedAccessRules
SwitchParameter
Path
String[]
String[]
Enable-Inheritance
Enable
Inheritance
Enable-Inheritance
PassThru
RemoveInheritedAccessRules
Path
String[]
PassThru
SwitchParameter
RemoveInheritedAccessRules
SwitchParameter
Path
String[]
String[]
Get-Access
Gets all Access Control Entries in the item's Discretionary Access Control List.
Get
Access
The function returns all ACEs defined on the item. You can filter the ACEs using the switches ExcludeExplicit and ExcludeInherited.
Whether the item inherits the permissions from its parent is indicated in the output as well.
The function needs to know the file or folder path. The path can be an argument or be piped into the function as string or FileSystemInfo object (result of Get-ChildItem or Get-Item).
Get-Access
Account
Takes the account that is used to filter the output. Only ACEs are shown that match the given user account.
This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'.
IdentityReference2
ExcludeExplicit
If set, only inherited ACEs are returned.
ExcludeInherited
If set, only explicitly non-inherited ACEs are returned.
Path
Specifies the path to the resource. Get-Access gets the permissions of the items indicated by the path. Wildcards are not permitted. This parameter also accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to get the access rights of multiple files and folders.
String[]
Account
Takes the account that is used to filter the output. Only ACEs are shown that match the given user account.
This can either be a SID (well known, domain or local) or a account name. The account name must be specified in the syntax 'Domain\UserName'. Well known accounts are not part of the domain or local machine. Use for example 'NT Authority\System' or 'Builtin\Administrators'.
IdentityReference2
IdentityReference2
ExcludeExplicit
If set, only inherited ACEs are returned.
SwitchParameter
ExcludeInherited
If set, only explicitly non-inherited ACEs are returned.
SwitchParameter
Path
Specifies the path to the resource. Get-Access gets the permissions of the items indicated by the path. Wildcards are not permitted. This parameter also accepts input from the pipeline so combining Get-Access with Get-ChildItem or Get-Item is the easiest way if you want to get the access rights of multiple files and folders.
String[]
String[]
System.String
You can pipe a string that contains a path.
Security2.FileSystemAccessRule2
Get-Ace returns objects that represent the item's Access Control Entries.
-------------- EXAMPLE 1 --------------
C:\PS>
C:\PS>
Get-Item c:\ | Get-Access
Get all ACEs defined on the root of drive C:
Path: C:\ (Inheritance disabled)
Identity Rights Inheritance Type IsInherited
-------- ------ ----------- ---- -----------
NT AUTHORITY\Authenticated ... AppendData None Allow False
NT AUTHORITY\Authenticated ... -536805376 ContainerIn... Allow False
NT AUTHORITY\SYSTEM (S-1-5-18) FullControl None Allow False
NT AUTHORITY\SYSTEM (S-1-5-18) 268435456 ContainerIn... Allow False
BUILTIN\Administrators (S-1... 268435456 ContainerIn... Allow False
BUILTIN\Administrators (S-1... FullControl None Allow False
BUILTIN\Users (S-1-5-32-545) ReadAndExec... ContainerIn... Allow False
-------------- EXAMPLE 2 --------------
C:\PS>
C:\PS>
PS C:\> dir | Where-Object { $_.PSIsContainer } | Get-Ace -ExcludeInherited
This command returns only explicitly set ACEs on all folders.
-------------- EXMAPLE 3 --------------
C:\PS>
C:\PS>
PS C:\> dir | Get-Access -Account Builtin\Users
This command returns all Access Control Entries whose account match 'Builtin\Users'.
Path: C:\Users\raandree\Desktop\ADRAP.docx (Inheritance disabled)
Account Access Rights Applies to Type IsInherited
------- ------------- ---------- ---- -----------
BUILTIN\Users (S-1-5-32-545) Modify, Synch... ThisFolderOnly Allow False
http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85
Get-EffectiveAccess
Get
EffectiveAccess
Get-EffectiveAccess
Account
IdentityReference2
Path
String[]
Account
IdentityReference2
IdentityReference2
Path
String[]
String[]
Get-Inheritance
Get
Inheritance
Get-Inheritance
Path
String[]
Path
String[]
String[]
Get-OrphanedAccess
Get
OrphanedAccess
Get-OrphanedAccess
Account
IdentityReference2
ExcludeExplicit
ExcludeInherited
Path
String[]
Account
IdentityReference2
IdentityReference2
ExcludeExplicit
SwitchParameter
ExcludeInherited
SwitchParameter
Path
String[]
String[]
Get-Owner
Get
Owner
Get-Owner
Path
String[]
Path
String[]
String[]
Get-SimpleAccess
Get
SimpleAccess
Get-SimpleAccess
IncludeRootFolder
Account
IdentityReference2
ExcludeExplicit
ExcludeInherited
Path
String[]
IncludeRootFolder
SwitchParameter
Account
IdentityReference2
IdentityReference2
ExcludeExplicit
SwitchParameter
ExcludeInherited
SwitchParameter
Path
String[]
String[]
Get-SimpleEffectiveAccess
Get
SimpleEffectiveAccess
Get-SimpleEffectiveAccess
IncludeRootFolder
Account
IdentityReference2
Path
String[]
IncludeRootFolder
SwitchParameter
Account
IdentityReference2
IdentityReference2
Path
String[]
String[]
Remove-Access
Remove
Access
Remove-Access
Account
IdentityReference2
AccessRights
FileSystemRights
AccessType
AccessControlType
InheritanceFlags
InheritanceFlags
PropagationFlags
PropagationFlags
PassThru
Path
String[]
Remove-Access
Account
IdentityReference2
AccessRights
FileSystemRights
AccessType
AccessControlType
AppliesTo
ApplyTo
PassThru
Path
String[]
Account
IdentityReference2
IdentityReference2
AccessRights
FileSystemRights
FileSystemRights
AccessType
AccessControlType
AccessControlType
InheritanceFlags
InheritanceFlags
InheritanceFlags
PropagationFlags
PropagationFlags
PropagationFlags
PassThru
SwitchParameter
Path
String[]
String[]
AppliesTo
ApplyTo
ApplyTo
Set-Owner
Set
Owner
Set-Owner
Account
IdentityReference2
PassThru
Recurse
Path
String[]
Account
IdentityReference2
IdentityReference2
PassThru
SwitchParameter
Recurse
SwitchParameter
Path
String[]
String[]
Show-SimpleAccess
Show
SimpleAccess
Show-SimpleAccess
IncludeRootFolder
Account
IdentityReference2
ExcludeExplicit
ExcludeInherited
Path
String[]
IncludeRootFolder
SwitchParameter
Account
IdentityReference2
IdentityReference2
ExcludeExplicit
SwitchParameter
ExcludeInherited
SwitchParameter
Path
String[]
String[]
Show-SimpleEffectiveAccess
Show
SimpleEffectiveAccess
Show-SimpleEffectiveAccess
IncludeRootFolder
Account
IdentityReference2
Path
String[]
IncludeRootFolder
SwitchParameter
Account
IdentityReference2
IdentityReference2
Path
String[]
String[]