Set-acl

Set Access Control List permissions from on a file (or object).

Syntax
      Set-Acl [-path] string[] [-aclObject] ObjectSecurity
                 [-Include String] [-Exclude String]
                    [-filter string] [-passThru] [-whatIf]
                       [-confirm] [-UseTransaction] [CommonParameters]

Key
   -Path path
       Path to the item to be changed {accepts wildcards}

       If a security object is passed to Set-Acl (either via -AclObject 
       or by passing an object from Get-Acl), and -Path is omitted,
       Set-Acl will use the path that is included in the security object.

   -AclObject ObjectSecurity
       An ACL with the desired property values.
       Often the output of a Get-Acl command saved in a variable.

   -Filter string
       A filter in the provider's format or language. 
       The exact syntax of the filter (wildcard support etc) depends on the provider.
       Filters are more efficient than -include/-exclude, because the provider
       applies the filter when retrieving the objects, rather than having 
       PowerShell filter the objects after they are retrieved.

   -include string
       Include only the specified items from the Path. e.g. "May*"
       This qualifies the -Path parameter and normally includes a wildcard.
        
   -Exclude string
       Omit the specified items from the Path e.g. "*SS64*"
       This qualifies the -Path parameter and normally includes a wildcard.

   -PassThru 
       Pass the object created by Set-Acl through the pipeline.

   -WhatIf
       Describe what would happen if you executed the command without
       actually executing the command.

   -Confirm
       Prompt for confirmation before executing the command.

   -UseTransaction
       Include the command in the active transaction.

   CommonParameters:
       -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
       -OutBuffer -OutVariable.

To apply a new rule to an ACL, requires an AccessRule Object of Type System.Security.AccessControl.FileSystemAccessRule

Inherited folder permissions:

 Object inherit    - This folder and files. (no inheritance to subfolders)
 Container inherit - This folder and subfolders.
 Inherit only      - The ACE does not apply to the current file/directory

Examples

Copy the security settings from Dog.txt to Cat.txt

PS C:\> $DogACL = get-acl c:\demo\dog.txt
PS C:\> set-acl -path C:\demo\cat.txt -AclObject $DogACL

Or the same thing with a pipeline:

PS C:\> get-acl c:\demo\dog.txt | set-acl -path C:\demo\cat.txt

Apply the same $Dog ACL to all the files in C:\animals\ and all of its subdirectories:

PS C:\> get-childitem c:\animals -recurse -force | set-acl -aclobject $DogACL -whatif

Disable inheritance for the folder 'C:\DemoFolder' (If inheritance is left in place the folder will inherit all the permissions of the parent folder.)

PS C:\> $acl = Get-Acl -Path 'C:\DemoFolder'
PS C:\> $acl.SetAccessRuleProtection($true, $false)
PS C:\> $acl | Set-Acl -Path 'C:\DemoFolder'

Add 'Read and Modify' permission to a folder only for the current user:

$acl = Get-Acl -Path 'C:\DemoFolder'
$permission = $env:username, 'Read,Modify', 'ContainerInherit, ObjectInherit', 'None', 'Allow' 
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
# Save the access rule to disk:
$acl | Set-Acl -Path 'C:\DemoFolder'

Script that creates a new User folder, and then grants a user account 'Modify' permission to the folder, it's subfolders and files:

$user = 'DemoUser'
$newPath = Join-Path "\\server64\Users" -childpath $user
# Create a folder for this user:
New-Item $newPath -type directory

$acl = Get-Acl $newpath

# Set an Access rule for 'Subfolders and files' only
$permission = "ss64.com\$user",'Modify, DeleteSubdirectoriesAndFiles','ContainerInherit, ObjectInherit', 'InheritOnly', "Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($rule)
     
# Add an Access rule for 'This folder' only.
$permission = "ss64.com\$user",'Modify, DeleteSubdirectoriesAndFiles','none', 'InheritOnly', "Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.AddAccessRule($rule)

# Save the access rules to disk:
$acl | Set-Acl $newpath

.SetAccessRule will overwrite any existing acls (other than inherited rights) while .AddAccessRule will leave existing acls unchanged.

“If it's a good idea - go ahead and do it. It’s easier to ask forgiveness than it is to get permission” ~ Grace Murray Hopper

Related PowerShell Cmdlets:

Get-Acl - Get permission settings for a file or registry key.
CACLS - Display or modify Access Control Lists (ACLs) for files and folders.
NTFS Security Module - Raimund Andrée MSFT.
Equivalent bash command: chmod - Change access permissions.

 
Copyright © SS64.com 1999-2019
Some rights reserved