Tricky use of Get-Acl

Question

When using the Get-ACL cmdlet it returns a single object that's a bit of a pain to deal with.

Path  Owner               Access                                                                                            
----  -----               ------                                                                                            
Test2 Owner               NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize                                       
                          NT AUTHORITY\SYSTEM Allow  FullControl  

Using something like (Get-ACL D:\test2).Access gives much nicer output - an item per permission:

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Due to the way the rest of my script works, this is what I need to be presented with after the Get-ACL operation. However, the rest of my script is nested within a For-Each off this Get-ACL and when using the above example, you can't then call $acl.AddAccessRuleas this call only seems to work straight off a regular $acl = Get-ACL "Some Path" and not $acl = (get-ACL "some path").Access

The error I see is:

Method invocation failed because [System.Security.AccessControl.FileSystemAccessRule] does not contain a method named 'AddAccessRule'.

Is there a way around this, whereby I am presented with the information in example 2, but can still call the .AddAccessRule without having to run another Get-ACL just to be able to do this?

Answer 1

Use something like this:

$acl = Get-Acl "Some Path"
$access = $acl.Access

# Do stuff with $access
$acl.AddAccessRule