Friday, January 20, 2017

PowerShell Module to Retrieve ACLs from Different Sources

Hi folks,

In this post I have shared with you about PowerShell module that can be used to manage and report NTFS permissions on disk drives and files and folders. However I was also looking for a nice way to report Active Directory ACLs and ACEs by using PowerShell. The Get-Acl cmdlet wouldn't suffice as it would report extended permissions on AD as ExtendedRight without any clear details. Here you can download PowerShell module that allows you to manage ACLs and ACEs not only on file system but also on printers, registry and most importantly AD.

Just as NTFS module this module needs to be installed to the server or computer on which you are running it. You will need to unzip the downloaded files and copy module and the related files to %Windir%\System32\WindowsPowerShell\v1.0\Modules. Before this you will need to create a folder named  PowerShellAccessControl. The below code should do installation magic.

New-Item "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerShellAccessControl" -Type Directory
Copy-Item "C:\Scripts\PowerShellAccessControl\*" "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerShellAccessControl"

You can read more about the cmdlets in the module in the link published below as they are described in the article. Before running any cmdlet you will first need to import the module into your PowerShell session:

Import-Module PowerShellAccessControl

There're a bunch of the cmdlets in module, I will show you just couple of the samples that you needed and you will thread your own way.

This command will get AD permission from

Get-ADObject "CN=SERVER01,OU=Servers,DC=CONTOSO,DC=COM"| Get-AccessControlEntry

(you can also use Get-AdUser, Get-ADGroup and other cmdlets from the Active Directory PowerShell module to get AD input object)

Finally, another sample below retrieves permissions for the same object for a particular user or group:

Get-ADObject "CN=SERVER01,OU=Servers,DC=CONTOSO,DC=COM" |Get-AccessControlEntry |Where-Object {$_.Principal -eq "Contoso\ContosoAdmins"}

I will let you explore this module further by yourselves and I hope you will find it to be useful.