In my previous post, I showed how to create a new ACL and apply it to a folder. Why apply it to the folder if the folder is already set correctly? I wrote the following function to compare the ACLs of a folder to a desired set of ACLs (either created by hand (lines 3-12) or copied from an existing folder (lines 12-15).
function JBMURPHY-PERMS-ArePermsCorrect {
Param([parameter(Mandatory = $true)]$Path,
[parameter(Mandatory = $true)]$CorrectACL,
[switch]$ShowCorrect)
$folderACLs=get-acl(get-item $Path)
if ((compare-object $($folderACLs.access) $($CorrectACL.access) -property FileSystemRights,IdentityReference,InheritanceFlags,PropagationFlags).count -gt 0) {
Write-host "$PATH is INCORRECT"
return $false
}
else {
if ($ShowCorrect.IsPresent){write-host "$PATH is correct"}
return $true
}
}
If the compare-object command returns nothing, then they are the same, if they are not the same then the items returned will be greater than 0, and the first part of the conditional will be used.
Comments
4 responses to “PowerShell to verify ACLs (permissions) on a folder”
Nice function. However, I found that it’s not 100% reliable, especially when checking for AccessControlType of Deny.
$ACLDifferences = compare-object $($CurrentACL.access) $($NewACL.access) -property FileSystemRights,AccessControlType,IdentityReference,InheritanceFlags,PropagationFlags
If ($ACLDifferences -ne $NULL) {
reapply the ACL here…
}
Cheers,
Jeremy.
Thanks! I never use a deny. I ALWAYS get screwed by it later. But thanks for the update!
I don’t disagree about the Deny permissions, but there is a method to my madness, which I must blog about one of these days 🙂
Cheers,
Jeremy.
I actually re-did my function and used your “-ne $NULL” method. It was much more reliable as you suggested! Thanks.