powershellscripts.com

Tutorials  PowerShell Cmdlet Help for Get-Acl



NAME
Get-Acl

SYNOPSIS
Gets the security descriptor for a resource, such as a file or registry key.

SYNTAX
Get-Acl [[-Path] ] [-Audit] [-Exclude ] [-Filter ] [-Include ] [-UseTransacti
on] []


DESCRIPTION
The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descript
or contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user
groups have to access the resource.


PARAMETERS
-Audit []
Gets the audit data for the security descriptor from the system access control list (SACL).

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-Exclude
Omits the specified items. The value of this parameter qualifies the Path parameter. Enter a path element or pa
ttern, such as "*.txt". Wildcards are permitted.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-Filter
Specifies a filter in the provider's format or language. The value of this parameter qualifies the Path paramet
er. The syntax of the filter, including the use of wildcards, depends on the provider. Filters are more efficie
nt than other parameters, because the provider applies them when retrieving the objects, rather than having Win
dows PowerShell filter the objects after they are retrieved.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-Include
Retrieves only the specified items. The value of this parameter qualifies the Path parameter. Enter a path elem
ent or pattern, such as "*.txt". Wildcards are permitted.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-Path
Specifies the path to a resource. Get-Acl gets the security descriptor of the resource indicated by the path. W
ildcards are permitted. If you omit the Path parameter, Get-Acl gets the security descriptor of the current dir
ectory.

The parameter name ("Path") is optional.

Required? false
Position? 1
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false

-UseTransaction []
Includes the command in the active transaction. This parameter is valid only when a transaction is in progress.
For more information, see about_Transactions.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false


This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".

INPUTS
System.String
You can pipe a string that contains a path to Get-Acl.


OUTPUTS
System.Security.AccessControl
Get-Acl returns an object that represents the ACLs that it gets. The object type depends upon the ACL type.


NOTES


By default, Get-Acl displays the Windows PowerShell path to the resource (::), the own
er of the resource, and "Access", a list (array) of the access control entries in the discretionary access cont
rol list (DACL) for the resource. The DACL list is controlled by the resource owner.

When you format the result as a list, ("get-acl | format-list"), in addition to the path, owner, and access lis
t, Windows PowerShell displays the following fields:

-- Group: The security group of the owner.

-- Audit: A list (array) of entries in the system access control list (SACL). The SACL specifies the types of
access attempts for which Windows generates audit records.

-- Sddl: The security descriptor of the resource displayed in a single text string in Security Descriptor Defin
ition Language format. Windows PowerShell uses the GetSddlForm method of security descriptors to retrieve this
data.

Because Get-Acl is supported by the file system and registry providers, you can use Get-Acl to view the ACL of
file system objects, such as files and directories, and registry objects, such as registry keys and entries.


-------------------------- EXAMPLE 1 --------------------------

C:\PS>get-acl C:\windows


Description
-----------
This command gets the security descriptor of the C:Windows directory.





-------------------------- EXAMPLE 2 --------------------------

C:\PS>get-acl C:\Windows\k*.log | format-list -property PSPath, Sddl


Description
-----------
This command gets the Windows PowerShell path and SDDL for all of the .log files in the C:\Windows directory whose
names begin with "k."

The command uses Get-Acl to get objects representing the security descriptors of each log file. It uses a pipeline
operator (|) to send the results to the Format-List cmdlet. The command uses the Property parameter of Format-List
to display only the PsPath and SDDL properties of each security descriptor object.

Lists are often used in Windows PowerShell, because long values appear truncated in tables.

The SDDL values are valuable to system administrators, because they are simple text strings that contain all of the
information in the security descriptor. As such, they are easy to pass and store, and they can be parsed when need
ed.





-------------------------- EXAMPLE 3 --------------------------

C:\PS>get-ACL c:/windows/k*.log -Audit | foreach-object { $_.Audit.Count }


Description
-----------
This command gets the security descriptors of the .log files in the C:\Windows directory whose names begin with "k.
" It uses the Audit parameter to retrieve the audit records from the SACL in the security descriptor. Then it uses
the For-EachObject parameter to count the number of audit records associated with each file. The result is a list o
f numbers representing the number of audit records for each log file.





-------------------------- EXAMPLE 4 --------------------------

C:\PS>get-acl -path hklm:\system\currentcontrolset\control | format-list


Description
-----------
This command uses Get-Acl to get the security descriptor of the Control subkey (HKLM\SYSTEM\CurrentControlSet\Contr
ol) of the registry.

The Path parameter specifies the Control subkey. The pipeline operator (|) passes the security descriptor that Get-
Acl retrieves to the Format-List command, which formats the properties of the security descriptor as a list so that
they are easy to read.






RELATED LINKS
Online version: http://go.microsoft.com/fwlink/?LinkID=113305
Set-Acl