Reputation: 15139
Powershell : Get-ACL and get permissions for specific user on a remote folder
Get-ACL \\machine_name\folder1 | Format-List *
Gives me the below including the Access rights for users (in AccessToString)
**AccessToString : NT AUTHORITY\Authenticated Users Allow AppendData
NT AUTHORITY\Authenticated Users Allow -536805376
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize**
AuditToString :
AccessRightType : System.Security.AccessControl.FileSystemRights
AccessRuleType : System.Security.AccessControl.FileSystemAccessRule
AuditRuleType : System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical : True
But below gives me empty :
Get-ACL \\machine_name\folder1| Format-List * | select AccessToString
ultimately, I want to get the entry for a specific given user in the AccessToString e.g. get only the access rights for "BUILTIN\Administrators. Will appreciate any help.
Upvotes: 2
Views: 27613
Answers (1)
Reputation: 1317
First of all, one should never pipe the output of any Format-* cmdlets into other cmdlets. Why? Because the output of the Format-* cmdlets are not the objects which you are working with on the pipeline. They are specialized objects for formating information on the screen.
If we take the command Get-Acl c:\ | Format-List * | Get-Member we will see that there are five objects of these five .NET Types which are passed from the Format-List cmdlet to the Get-Member cmdlet:
- Microsoft.PowerShell.Commands.Internal.Format.FormatStartData
- Microsoft.PowerShell.Commands.Internal.Format.GroupStartData
- Microsoft.PowerShell.Commands.Internal.Format.FormatEntryData
- Microsoft.PowerShell.Commands.Internal.Format.GroupEndData
- Microsoft.PowerShell.Commands.Internal.Format.FormatEndData
These objects are there only for Format-List to display nicely. Also Get-Member does not show any of these objects to have any AccessToString property.
The AccessToString property is just a blob of text representing the ACL. This is not suitable to filter on instead what one should do is to dive into the Access property and filter the access control entries (ACEs) on their IdentityReference property.
You will have better luck with this:
Get-Acl c:\ | Select-Object -ExpandProperty Access |
Where-Object identityreference -eq "BUILTIN\Administrators"
Upvotes: 10
Related Questions
- Issue while executing get-acl for remote servers
- powershell add user permission to a folder in windows server
- Get ACL Folder & Subfolder + Users Using Powershell
- Powershell Get-Acl Owner Reference
- Getting Permissions From Remote Share (PowerShell)
- Retrieving Remote File Share 'Share Permissions' Using Powershell
- How to list folder permissions located on a different server
- Getting folders and permissions in Powershell
- Tricky use of Get-Acl
- Using Get-ACL to get file share permissions