Filesystem rights

The filesystem access control entry uses the System.Security.AccessControl.FileSystemRights enumeration to describe the different rights that might be granted.

PowerShell is able to list each name using the GetNames (or GetValues) static methods of the Enum type:

[System.Security.AccessControl.FileSystemRights].GetEnumNames()

PowerShell might be used to show the names, numeric values, and even the binary values associated with each. Several of these rights are composites, such as write, which summarizes CreateFiles, AppendData, WriteExtendedAttributes, and WriteAttributes:

[System.Security.AccessControl.FileSystemRights].GetEnumValues() | ForEach-Object {
    [PSCustomObject]@{
        Name   = $_
        Value  = [Int]$_
        Binary = [Convert]::ToString([Int32]$_, 2).PadLeft(32, '0')
    }
}

Microsoft Docs is a better place to find a descriptive meaning of each of the different flags: https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemrights?view=netframework-4.7.2. This is a bit field, and can therefore be treated in the same way as FileAttributes earlier in this chapter. The simplest way to present rights is in a comma-separated list. There is a large number of possible combinations; the graphical user interface shows a small number of these before heading into advanced. These options are shown in the following table:

GUI option	Filesystem rights
Full control	`FullControl`
Modify	`Modify`, `Synchronize`
Read and execute	`ReadAndExecute`, `Synchronize`
List folder contents	`ReadAndExecute`, `Synchronize`
Read	`Read`, `Synchronize`
Write	`Write`, `Synchronize`

The previous table shows that both read and execute and list folder contents have the same value. This is, in essence, because the access mask is the same. The difference is in the inheritance flags:

GUI option	Inheritance flags
Read and execute	`ContainerInherit`, `ObjectInherit`
List folder contents	`ContainerInherit`

In all other cases, the inheritance flags are set to ContainerInherit, ObjectInherit. Propagation flags are set to None for all examples.

Using these, a full control ACE can be created using one of the constructors for FileSystemAccessRule:

$ace = [System.Security.AccessControl.FileSystemAccessRule]::new( 
    'DOMAINUser',                      # Identity reference 
    'FullControl',                      # FileSystemRights 
    'ContainerInherit, ObjectInherit',  # InheritanceFlags 
    'None',                             # PropagationFlags 
    'Allow'                             # ACE type (allow or deny) 
)

This ACE can be applied to ACL:

$acl = Get-Acl C:TempACL5 
$acl.AddAccessRule($ace) 
Set-Acl C:TempACL5 -AclObject $acl

Table of Contents for Filesystem rights

Create new playlist

Sign In

Sign Up

Table of Contents for
Filesystem rights