Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
Retrieving the Security Descriptor for an Object
The Get-Acl cmdlet enables you to retrieve the security descriptor (access control list) for a file, a folder, or even a registry key. Note that, in order to view complete information for an object, you should pipe the results of Get-Acl through the Format-List cmdlet. For example, this command retrieves the security descriptor for the folder C:\Scripts, then displays that information as a list:
Get-Acl c:\scripts | Format-List
The resulting display will look something like this:
Path : Microsoft.Windows PowerShell.Core\FileSystem::C:\scripts
Owner : FABRIKAM\kenmyer
Group : FABRIKAM\Domain Users
Access : BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
FABRIKAM\kenmyer Allow FullControl
CREATOR OWNER Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow AppendData
BUILTIN\Users Allow CreateFiles
Audit :
Sddl : O:S-1-5-21-1454471165-1004336348-1606980848-8183G:DUD:(A;OICIID;FA;;;B
A)(A;OICIID;FA;;;SY)(A;ID;FA;;;S-1-5-21-1454471165-1004336348-16069808
48-8183)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A
;CIID;DC;;;BU)
Had we called Get-Acl without piping the results through Format-List the resulting display would have looked more like this:
Path Owner Access
---- ----- ------
Microsoft.Windows PowerShell.Co... BUILTIN\Administrators FABRIKAM\kenmyer Allow ...
Not quite as easy to decipher, to say the least.
Right, we did mention that Get-Acl can return the security descriptor for a registry key, didn’t we? This command returns security information for HKEY_CURRENT_USER\Software\Microsoft\Windows:
Get-Acl HKCU:\Software\Microsoft\Windows
You can also use wildcard characters to retrieve a set of objects. Need to review the security settings for all the .log files in C:\Scripts? Here you go:
Get-Acl c:\scripts\*.log | Format-List