Set Access Control List permissions from on a file (or object).

      Set-Acl [-path] string[] [-aclObject] ObjectSecurity
                 [-Include String] [-Exclude String]
                    [-filter string] [-passThru] [-whatIf]
                       [-confirm] [-UseTransaction] [CommonParameters]

   -Path path
       Path to the item to be changed {accepts wildcards}

       If a security object is passed to Set-Acl (either via -AclObject 
       or by passing an object from Get-Acl), and -Path is omitted,
       Set-Acl will use the path that is included in the security object.

   -AclObject ObjectSecurity
       An ACL with the desired property values.
       Often the output of a Get-Acl command saved in a variable.

   -Filter string
       A filter in the provider's format or language. 
       The exact syntax of the filter (wildcard support etc) depends on the provider.
       Filters are more efficient than -include/-exclude, because the provider
       applies the filter when retrieving the objects, rather than having 
       PowerShell filter the objects after they are retrieved.

   -include string
       Include only the specified items from the Path. e.g. "May*"
       This qualifies the -Path parameter and normally includes a wildcard.
   -Exclude string
       Omit the specified items from the Path e.g. "*SS64*"
       This qualifies the -Path parameter and normally includes a wildcard.

       Pass the object created by Set-Acl through the pipeline.

       Describe what would happen if you executed the command without
       actually executing the command.

       Prompt for confirmation before executing the command.

       Include the command in the active transaction.

To apply a new rule to an ACL, requires an AccessRule Object of Type System.Security.AccessControl.FileSystemAccessRule

The ability to delete or rename a folder is decided by a combination of the Delete permissions on the folder in question, plus the Delete subfolders and files permission on the parent folder.

Inherited folder permissions:

 Object inherit    - This folder and files. (no inheritance to subfolders)
 Container inherit - This folder and subfolders.
 Inherit only      - The ACE does not apply to the current file/directory

By default, an object will inherit permissions from its parent object, either at the time of creation or when it is copied or moved. The only exception to this rule occurs when you move an object to a different folder on the same volume. In this case, the original permissions are retained. In controlled environments this ensures that users cannot change file permissions by just moving items to a different folder. This behaviour can be disabled by setting a system-wide registry key, see Q310316.


Copy the security settings from Dog.txt to Cat.txt

PS C:\> $DogACL = get-acl c:\demo\dog.txt
PS C:\> set-acl -path C:\demo\cat.txt -AclObject $DogACL

Or the same thing with a pipeline:

PS C:\> get-acl c:\demo\dog.txt | set-acl -path C:\demo\cat.txt

Apply the same $Dog ACL to all the files in C:\animals\ and all of its subdirectories:

PS C:\> get-childitem c:\animals -recurse -force | set-acl -aclobject $DogACL -whatif

Disable inheritance for the folder 'C:\DemoFolder' (If inheritance is left in place the folder will inherit all the permissions of the parent folder.)

PS C:\> $acl = Get-Acl -Path 'C:\DemoFolder'
PS C:\> $acl.SetAccessRuleProtection($true, $false)
PS C:\> $acl | Set-Acl -Path 'C:\DemoFolder'

Add 'Read and Modify' permission to a folder only for the current user:

$acl = Get-Acl -Path 'C:\DemoFolder'
$permission = $env:username, 'Read,Modify', 'ContainerInherit, ObjectInherit', 'None', 'Allow' 
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
# Save the access rule to disk:
$acl | Set-Acl -Path 'C:\DemoFolder'

Script that creates a new User folder, and then grants a user account 'Modify' permission to the folder, it's subfolders and files:

$user = 'DemoUser'
$newPath = Join-Path "\\server64\Users" -childpath $user
# Create a folder for this user:
New-Item $newPath -type directory

$acl = Get-Acl $newpath

# Set an Access rule for 'Subfolders and files' only
$permission = "\$user",'Modify, DeleteSubdirectoriesAndFiles','ContainerInherit, ObjectInherit', 'InheritOnly', "Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
# Add an Access rule for 'This folder' only.
$permission = "\$user",'Modify, DeleteSubdirectoriesAndFiles','none', 'InheritOnly', "Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission

# Save the access rules to disk:
$acl | Set-Acl $newpath

.SetAccessRule will overwrite any existing acls (other than inherited rights) while .AddAccessRule will leave existing acls unchanged.

“If it's a good idea - go ahead and do it. It’s easier to ask forgiveness than it is to get permission” ~ Grace Murray Hopper

Related PowerShell Cmdlets

Get-Acl - Get permission settings for a file or registry key.
CMD: iCACLS - Change file and folder permissions (ACLs).
CMD: CACLS - Display or modify Access Control Lists (ACLs) for files and folders.
NTFS Security Module - Get/Set ACLs, inheritance, ownership and other permissions missing from get/set-acl [Raimund Andrée MSFT].
Equivalent bash command: chmod - Change access permissions.

Copyright © 1999-2024
Some rights reserved