PowerShell to verify ACLs (permissions) on a folder

In my previous post, I showed how to create a new ACL and apply it to a folder. Why apply it to the folder if the folder is already set correctly? I wrote the following function to compare the ACLs of a folder to a desired set of ACLs (either created by hand (lines 3-12) or copied from an existing folder (lines 12-15).

function JBMURPHY-PERMS-ArePermsCorrect {
        Param([parameter(Mandatory = $true)]$Path,
              [parameter(Mandatory = $true)]$CorrectACL,
              [switch]$ShowCorrect)

    $folderACLs=get-acl(get-item $Path)
    if ((compare-object $($folderACLs.access) $($CorrectACL.access) -property FileSystemRights,IdentityReference,InheritanceFlags,PropagationFlags).count -gt 0) {
    Write-host "$PATH is INCORRECT"
    return $false
    }
    else {
    if ($ShowCorrect.IsPresent){write-host "$PATH is correct"}
    return $true
    }
}

If the compare-object command returns nothing, then they are the same, if they are not the same then the items returned will be greater than 0, and the first part of the conditional will be used.

4 Responses to PowerShell to verify ACLs (permissions) on a folder

  1. Jeremy Saunders July 10, 2012 at 11:17 pm #

    Nice function. However, I found that it’s not 100% reliable, especially when checking for AccessControlType of Deny.

    $ACLDifferences = compare-object $($CurrentACL.access) $($NewACL.access) -property FileSystemRights,AccessControlType,IdentityReference,InheritanceFlags,PropagationFlags
    If ($ACLDifferences -ne $NULL) {
    reapply the ACL here…
    }

    Cheers,
    Jeremy.

  2. jbmurphy July 11, 2012 at 10:12 am #

    Thanks! I never use a deny. I ALWAYS get screwed by it later. But thanks for the update!

  3. Jeremy Saunders July 11, 2012 at 9:31 pm #

    I don’t disagree about the Deny permissions, but there is a method to my madness, which I must blog about one of these days 🙂

    Cheers,
    Jeremy.

  4. jbmurphy February 6, 2013 at 6:26 pm #

    I actually re-did my function and used your “-ne $NULL” method. It was much more reliable as you suggested! Thanks.