The filesystem access control entry uses the System.Security.AccessControl.FileSystemRights enumeration to describe the different rights that might be granted.
PowerShell is able to list each of the names using the GetNames (or GetValues) static methods of the Enum type:
[Enum]::GetNames([System.Security.AccessControl.FileSystemRights])
MSDN is a better place to find the meaning of each of the different flags:
This is a bit-field, and can therefore be treated in the same way as FileAttributes were earlier in this chapter. The simplest way to present rights is in a comma-separated list. There is a large number of possible combinations; the graphical user interface shows a small number of these before heading into advanced. These options are shown in the following table:
GUI option |
Filesystem rights |
Full control |
FullControl |
Modify |
Modify, Synchronize |
Read and execute |
ReadAndExecute, Synchronize |
List folder contents |
ReadAndExecute, Synchronize |
Read |
Read, Synchronize |
Write |
Write, Synchronize |
The previous table shows that both read and execute and list folder contents have the same value. This is, simply put, because the access mask is the same. The difference is in the inheritance flags:
GUI option |
Inheritance flags |
Read and execute |
ContainerInherit, ObjectInherit |
List folder contents |
ContainerInherit |
In all other cases, the inheritance flags are set to ContainerInherit, ObjectInherit. Propagation flags are set to None for all examples.
Using these, a full control ACE can be created using one of the constructors for FileSystemAccessRule:
$ace = New-Object System.Security.AccessControl.FileSystemAccessRule( 'DOMAINUser', # Identity reference 'FullControl', # FileSystemRights 'ContainerInherit, ObjectInherit', # InheritanceFlags 'None', # PropagationFlags 'Allow' # ACE type (allow or deny) )
This ACE can be applied to ACL:
$acl = Get-Acl C:TempACL5 $acl.AddAccessRule($ace) Set-Acl C:TempACL5 -AclObject $acl