Taking on PowerShell one cmdlet at a time
Share this post:This blog post is part of an ongoing series by Adam Gordon. Adam will walk through each PowerShell command every week, explaining when and how to use them. Adam will be covering Set-Acl.
When should you use Set-Acl
The Set-Acl cmdlet modifies the security descriptor for a specified item (e.g. a file or registry key) to match the values in the security descriptor you supply.
Set-Acl can be used by using the -Path parameter or the -InputObject parameter. This parameter will identify the item whose security description you wish to change. Next, use the –AclObject and –SecurityDescriptor parameters for a security descriptor with the values you desire.
Set-Acl uses the supplied security descriptor. It uses the -AclObject value as a model and modifies the item’s security description to match the -AclObject parameters.
What version of PowerShell do I use?
Get the PowerShell Version for your machine
$PSVersionTable
This command displays the PowerShell version information for your machine.
How to use Set-Acl
Copy a security description from one file to the next:
$ITPACL = Get-Acl -Path “C:\PShellTest\ITP.txt”
Set-Acl -Path “C:\PShellTest\TV.txt” -AclObject $ITPACL
These commands copy the values of the ITP.txt security descriptor to the TV.txt security descriptor. Once the commands are completed, the security descriptors for the ITP.txt file and the TV.txt file are identical.
The Get-Acl cmdlet is used to retrieve the security descriptor for the ITP.txt files. The security descriptor is stored in the $ITPACL value by the assignment operator (=).
The second command uses Set–Acl to modify the values of TV.txt and $ITPACL.
The path to the TV.txt files is the value of the parameter -Path. The -AclObject parameter represents the model ACL. In this case, it is the ACL of ITP.txt, as saved in $ITPACL.
To pass a descriptor, use the pipeline operator:
Get-Acl -Path “C:\PShellTest\ITP.txt” | Set-Acl -Path “C:\PShellTest\TV.txt”
) to send the security descriptor from a Get-Acl command to a Set-Acl command.
The Get-Acl cmdlet is used to retrieve the security descriptor for the ITP.txt files. ) passes an object that represents the ITP.txt security descriptor to the Set-Acl cmdlet.
The second command uses Set–Acl to apply ITP.txt’s security descriptor to TV.txt. The command will complete and the ACLs for the ITP.txt as well as TV.txt files will be identical.
Apply a security descriptor for multiple files
$NewAcl = Get-Acl -Path “C:\PShellTest\ITP.txt”
Get-ChildItem -Path “C:\PShellTest\ITPTV1” -Recurse -Include “*.txt” -Force | Set-Acl -AclObject $NewAcl
These commands apply security descriptors from the ITP.txt text file to all text files within the C:PShellTestITPTV1 directories and all of their subdirectories
The first command obtains the security descriptor for the ITP.txt files in the current directory. It then uses the assignment operator (=), to store it in $NewACL.
The Get-ChildItem cmdlet is used to retrieve all text files within the C:PShellTestITPTV1 directory. This is the first command in the pipeline. The -Recurse parameter extends the command to all subdirectories of C:\PShellTest\ITPTV1. The -Include parameter restricts the files that are retrieved to files with the extension.txt. Hidden files are excluded by the -Force parameter. (You cannot use C:\PShellTest\ITPTV1\*.txt, because the -Recurse parameter works on directories, not on files.)
) sends the objects representing the retrieved files to the Set-Acl cmdlet, which applies the security descriptor in the -AclObject parameter to all of the files in the pipeline.
NOTE: You should use the -WhatIf parameter for all Set-Acl commands which can affect more than one item. The second command in the pipeline is Set-Acl-AclObject $NewAcl.
This command lists all files that will be affected by the command. You can review the results and run the command again with the -WhatIf parameter.
Learn last week’s command: New-PSRoleCapabilityFile.
Do you need PowerShell training? ITProTV offers PowerShell online IT training courses.