File System ACLs – creating an ACL
Last time you saw that the permissions assign to a file system object are built from instances of the System.Security.AccessControl.FileSystemAccessRule class. Run
Get-Acl -Path c:\test | fl *
and look at the Access property.
Drilling into an individual ACL they look like this:
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : True
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
You see the documentation for the class at http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule(v=vs.110).aspx
Creating a new access rule starts by creating a new instance of the class. The documentation shows 4 constructors – ways to build an instance of the class. The simplest requires the name of a user account (or group), the type of operation associated with the rule and whether the operation is allowed or denied.
First off you need to define some data to use during the creation process:
You need to define the user
$user = "$($env:COMPUTERNAME)\Newuser"
The type of access they have
$fsr = [System.Security.AccessControl]::FullControl
See http://msdn.microsoft.com/en-us/library/system.security.accesscontrol(v=vs.110).aspx for the full list
And whether the rule is allowed or denied
$alwdny = [System.Security.AccessControl.AccessControlType]::Allow
You can then create the access rule
$acr = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $user, $fsr, $alwdny
Get the current ACL
$acl = Get-Acl -Path C:\Test
Add the new rule
And finally set the ACL on the object
Set-Acl -Path c:\test -AclObject $acl
Over the next few posts I’ll show how to simplify this process with some functions – in a similar way to those you saw recently for working with shares.