Get files ACLs with PowerShell

Recently I needed to get all the user permissions for all the files (with a specific extension) in a given folder (with subfolders). I had to get these information from a Windows Server machine, so I wrote a simple PowerShell script.

With user permissions we refer to the FileSystemRights for example:

  • Full Control
  • Read
  • Write
  • Execute

You can find the complete FileSystemRights enumeration here: FileSystemRights Enumeration.

Given the root folder of our document, we are going to use the Get-ChildItem cmlet to get the items and child items in the specified locations.
For each item we are going to use the Get-Acl cmlet to get the security descriptor for the resource.

The Get-Act returns a System.Security.AccessControl.FileSystemSecurity object, we are interested to the Access property (a System.Collections.ReadOnlyCollectionBase object).

Each element of the collection contains the information that we need:

  • IdentityReference: Represents an identity (we are going to remove the machine name/domain from the value). System.Security.Principal.IdentityReference type
  • AccessControlType: Enumerative that Allow or Deny the system rights specified later
  • FileSystemRights: list of all the rights (enumerative of FileSystemRights)

Once we collected these information for each file, we are going to save them to a CSV file.

PowerShell script (set your root, CSV output file and extension):

This is how the output looks like:

Leave a Reply

Your email address will not be published. Required fields are marked *