PowerShell Get-Acl Cmdlet

PowerShell Script Files – Get-Acl

From a strategic point of view Get-Acl (Access Control List) is a stepping-stone to changing permissions with Set-Acl.  When learning about Get-Acl select a file rather than a folder, those SID numbers can be so meaningless.


Example 1: Get-Acl Owner Check

I have chosen the Windows log files as vehicle to test Get-Acl.

# PowerShell Get-Acl Windows Log files
$Files = "C:\Windows\*.log"
Get-Acl  $Files | Format-Table -property PSPath, Owner

Learning Points

Note 1:  The reason that I used the variable $Files is that I want to remind you to change the value for the path before running this script on your machine.

Research Get-Acl Properties

Format-Table is of great help with Get-Acl.  I recommend researching the precise spelling of the various properties by appending Get-Member thus:

# PowerShell Get-Acl Properties
$Files = "C:\Windows\*.log"
Get-Acl  $Files | Get-Member -MemberType *Property

Note 2: -MemberType *Property filters out methods, and shows just the various properties.  One conclusion, PSChildName may be better than PSPath.

Note 3: Actually, any file will do to check the properties supported by Get-Acl.

Example 2: Get-Acl to Find a Particular Owner

The reasons that I chose -Match ‘Administrator’ is that every Windows operating system has Administrators, and I don’t know the names of your users.

# PowerShell Get-Acl Find Owner = Administrator
$Files = "C:\Windows\*.log"
Get-Acl $Files | Where {$_.Owner -Match 'Administrator'} |
Format-Table -property PSChildName, Owner -auto

Note 4: I recommend that you change ‘Administrator’ to the name of a user on your computer.  Furthermore, if you take my advice then you may wish to change the value of $Files to "C:\Windows\Users\"PowerShell Get-Acl cmdlet - Permissions Analyzer

Note 5: PowerShell syntax includes the ` backtick for word-wrap; however I try not use the backtick symbol `, instead I ended line 4 with the | pipe symbol. As a result of this formatting PowerShell realizes that the command continues on the next line.

Background Research

In addition to pure research on PowerShell's Get-Acl, I strongly recommend that open Windows Explorer and look at not only the location of the files, but also at the permissions.

If you right-click any file or folder, select properties and check the permissions. For further detail click Edit, see screenshot to the right.

Another useful technique is to use CACLS

Example 3: Get-Acl -ExpandProperty

The problem: We need a list of all the permissions on a user's folder, especially any domain\username and group names.  The basic command in Example 3a does not produce the desired results.

# Get-Acl Example 3a
Get-Acl 'C:\Users\Fred'

The solution: -ExpandProperty

# Get-Acl Example 3b
(Get-Acl 'C:\Users\Fred').Access `
| Select-Object -ExpandProperty IdentityReference


Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Research Get-Acl Parameters

One reason for research properties is if you want to modify the results, for example you wish to pipe the output into Format-Table, but are unsure which properties to specify.

# PowerShell Get-Acl Parameters
Get-Help Get-Acl -full

Checking the help file will reveal useful parameters, for instance the -audit switch maybe useful for your task.  In addition to the file system you can also direct Get-Acl to list permissions on registry keys.

See Also a Review of Solarwinds Free Permissions Analyzer »

Researching Similar PowerShell Content Cmdlets

# PowerShell Content Cmdlet Research
Get-Command -Noun Acl

This reveals the sister command Set-Acl.  Incidentally, many of PowerShell’s Get verbs also have a ‘Set’ companion cmdlet. 

See more on Set-Acl ยป

Summary of PowerShell’s Get-Acl Cmdlet

Get-Acl is rather different from the mainstream PowerShell cmdlets.  You can apply what you learn about ‘Get’ access control lists, changing permissions with Set-Acl.

If you like this page then please share it with your friends


See more PowerShell share examples including WMI

PowerShell WMI   • Create Win32_Share   • WMI Shares   • Free Permissions Analyzer Tool

Get-Acl  • PowerShell Share Error Codes   • Win32_ComputerSystem  • PowerShell 3.0 CIM

Windows PowerShell  • Free WMI Monitor  • Cacls   • Query   • PowerShell Printer Scripts

Please email me if you have a example scripts.  Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.