Substitute icacls.exe with powershell

Question

I want to replace the following CMD command with a Powershell command:

Icacls.exe "%SystemDrive%\xxx" /grant *S-X-X-XX-XXX:(CI)(OI)(F) /t /c

I also know how to do this with Icacls, but I think there is a nicer way to do it with the PowerShell.

I would be happy if someone could help me in this regard. :-) Thanks.

You are not saying what you've searched for. For example, using 'PowerShell Icacls.exe replacement'. You'll see in virtually all cases, icacles is still the tool of choice in PowerShell Scripts. There is nothing wrong with continuing to use existing tools, and in some cases they are far more direct and performant. We all love PowerShell here, but use the right tool for the needed use case. PowerShell does provide Get-Acl and Set Acl cmdlets to use, but the point of 'but I think there is a nicer way to do it with the PowerShell', can be just a matter of choice vs value. — postanote, Apr 05 '20 at 21:48

postanote · Answer 1 · 2020-04-05T22:14:54.533

The built-in help files, provide you the guidance for this.

Set-Acl Changes the security descriptor of a specified item, such as a file or a registry key.

# Get specifics for a module, cmdlet, or function
(Get-Command -Name Get-Acl).Parameters
(Get-Command -Name Get-Acl).Parameters.Keys
<#
# Results

Path
InputObject
LiteralPath
Audit
AllCentralAccessPolicies
Filter
Include
Exclude
...
#>
Get-help -Name Get-Acl -Examples
<#
# Results

Get-Acl C:\Windows

Get-Acl -Path "C:\Windows\k*.log" | 
Format-List -Property PSPath, Sddl

Get-Acl -Path "C:/Windows/k*.log" -Audit | 
ForEach-Object { $_.Audit.Count }

Get-Acl -Path "HKLM:\System\CurrentControlSet\Control" |
Format-List

Get-Acl -InputObject (Get-StorageSubsystem -Name S087)
#>
Get-help -Name Get-Acl -Full
Get-help -Name Get-Acl -Online


(Get-Command -Name Set-Acl).Parameters
(Get-Command -Name Set-Acl).Parameters.Keys
<#
# Results

Path
InputObject
LiteralPath
AclObject
CentralAccessPolicy
ClearCentralAccessPolicy
Passthru
Filter
Include
Exclude
...
#>
Get-help -Name Set-Acl -Examples
<#
# Results

$DogACL = Get-Acl -Path "C:\Dog.txt"

Set-Acl -Path "C:\Cat.txt" -AclObject $DogACL

Get-Acl -Path "C:\Dog.txt" | 
Set-Acl -Path "C:\Cat.txt"

$NewAcl = Get-Acl File0.txt

Get-ChildItem -Path "C:\temp" -Recurse -Include "*.txt" -Force | 
Set-Acl -AclObject $NewAcl
#>
Get-help -Name Set-Acl -Full
Get-help -Name Set-Acl -Online

There are other modules via the Microsoft PowerShellGallery.com for you to leverage as well.

Find-Module -Name '*acl*', '*ntfs*' | 
Format-Table -AutoSize
<#
# Results

Version     Name                    Repository Description                                                                                                                                 
-------     ----                    ---------- -----------                                                                                                                                 
1.0.1       ACL-Permissions         PSGallery  A couple of ACL utilities, for repairing c...
1.30.1.28   ACLReportTools          PSGallery  Provides Cmdlets for reporting on Share ACLs.                                                                                               
1.7         ACLHelpers              PSGallery  Modules to help work with ACLs (Access Control Rights)                                                                                      
1.0.1.0     ACLCleanup              PSGallery  A set of tools to help you clean your files...
0.1.2       ACLTools                PSGallery  Module for managing NTFS Acls on files and folders                                                                                          
...
0.4         FileAclTools            PSGallery  Tools for quickly fixing file system ACLs                                                                                                   
...                                                                                                  
4.2.6       NTFSSecurity            PSGallery  Windows PowerShell Module for managing file ...
1.4.1       cNtfsAccessControl      PSGallery  The cNtfsAccessControl module contains DSC re...
1.0         NTFSPermissionMigration PSGallery  This module is used as a wrapper to the popular ...
#>

So, for what you are showing

# Review current settings
Get-Acl -Path $env:SystemDrive | 
Format-List -Force
<#
# Results

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\system32
Owner  : NT SERVICE\TrustedInstaller
Group  : NT SERVICE\TrustedInstaller
Access : CREATOR OWNER Allow  268435456
         NT AUTHORITY\SYSTEM Allow  268435456
         NT AUTHORITY\SYSTEM Allow  Modify, Synchronize
         BUILTIN\Administrators Allow  268435456
         BUILTIN\Administrators Allow  Modify, Synchronize
         BUILTIN\Users Allow  -1610612736
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         NT SERVICE\TrustedInstaller Allow  268435456
         NT SERVICE\TrustedInstaller Allow  FullControl
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  -1610612736
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
         APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  -1610612736
Audit  : 
Sddl   : O:S-1-5-80-956008885-34...
#>

Description

The Set-Acl cmdlet changes the security descriptor of a specified item, such as a file or a registry key, to match the values in a security descriptor that you supply.

To use Set-Acl, use the Path or InputObject parameter to identify the item whose security descriptor you want to change. Then, use the AclObject or SecurityDescriptor parameters to supply a security descriptor that has the values you want to apply. Set-Acl applies the security descriptor that is supplied. It uses the value of the AclObject parameter as a model and changes the values in the item's security descriptor to match the values in the AclObject parameter.

Parameters -AclObject Specifies an ACL with the desired property values. Set-Acl changes the ACL of item specified by the Path or InputObject parameter to match the values in the specified security object.

You can save the output of a Get-Acl command in a variable and then use the AclObject parameter to pass the variable, or type a Get-Acl command.

TABLE 1 Type: Object Position: 1 Default value: None Accept pipeline input: True (ByValue) Accept wildcard characters: False

So, you just do something like this... as per the above examples

$AclSettings = 'WhatEverSettingsYouWant'
Set-Acl -Path $env:SystemDrive -AclObject $AclSettings

A similar question on StackOverflow is here:

Setting Inheritance and Propagation flags with set-acl and Powershell

Then there is this guidance:

Here's the MSDN page describing the flags and what is the result of their various combinations. https://msdn.microsoft.com/en-us/library/ms229747(v=vs.100).aspx

InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit 

PropagationFlags.None

Here's some succinct PowerShell code to apply new permissions to a folder by modifying its existing ACL (Access Control List).

# Get the ACL for an existing folder
$existingAcl = Get-Acl -Path 'C:\DemoFolder'

# Set the permissions that you want to apply to the folder
$permissions = $env:username, 'Read,Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow'

# Create a new FileSystemAccessRule object
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permissions

# Modify the existing ACL to include the new rule
$existingAcl.SetAccessRule($rule)

# Apply the modified access rule to the folder
$existingAcl | Set-Acl -Path 'C:\DemoFolder'
<#
Each of the values in the $permissions variable list pertain to the parameters of this constructor for the FileSystemAccessRule class.
#>

Substitute icacls.exe with powershell

1 Answers1