ACL on a folder

Hello PowerShell gurus,

I’m a newb on Powershell, looking for a function/script that accomplishes the following:

Input is a folder or UNC path (get-childitem)
The output should look like this (csv format, I need to import it in Excel or Access later on), i.e. an entry for each user/group that has access to the folder.

“d:\MyPath\MyFolder”,“NT AUTHORITY\SYSTEM”,“Allow”,“Full Control”
“d:\MyPath\MyFolder”,“ACME\Domain Admins”,“Allow”,“Full Control”

I think it would require to rewrite the scriptproperty ‘AccessToString’ from the get-ACL cmdlet.
Anyone know how to do this (or has another neat solution) ?


Here’s a simple example:

$Path = 'D:\MyPath\MyFolder'
$CSVPath = 'C:\MyPath\Acl.csv'
$ACL = Get-Acl -Path $Path 

foreach ($Entry in $ACL.Access)
        Path = $Path
        IdentityReference = $Entry.IdentityReference
        AccessControlType = $Entry.AccessControlType
        FileSystemRights  = $Entry.FileSystemRights
    } | Export-Csv -Path $CSVPath -NoTypeInformation

If you want to make a reuseable function though, you can take Matt’s excellent example a little further:

Function Get-FolderACL{[cmdletbinding[]]


        $Directory = Get-Acl -Path $Path

        ForEach[$Dir in $Directory.Access]{
                Path = $Path
                Group = $Dir.IdentityReference
                AccessType = $Dir.AccessControlType
                Rights = $Dir.FileSystemRights


Jeff Hicks just wrote an excellent article on building advanced functions. I highly recommend you give it a read:

You should also check Raimund Andrée’s "File System Security PowerShell Module 3.2.2 " on Microsoft’s website.

He updated it about two weeks ago. I had built a number of functions similar to yours, but will now use this module instead.

What if we need not only the .identityreference property but also all members in case it is a group? How do get this out? Can we somehow incorporate the below in the get-acl code?

{Get-CimInstance -ClassName Win32_Group -Filter "Name = 'Adminis'" Get-CimAssociatedInstance -InputObject $group -ResultClassName Win32_Group | select -ExpandProperty Caption}

Also when to use [PSCustomObject]@{} rather than Select-Object @{}?

Thank you all for your input; it has been very helpful.
I’m definitely going to look into the Filesystem security module, because it seems to address some issues I came accross too (e.g. long pathnames)