Get ACL Applies To

I feel like this is a pretty dumb question but I’m completely stumped. I have a script to generate an ACL report but there’s one property I’m stuck on - Applies to. It looks like it “should” be the PropagationFlags property from Get-ACL but I can’t make sense of it. Often times, PropagationFlags is empty (None) when it’s “This folder, subfolders and files” or “This folder and subfolders”. A flag of “InheritOnly” seams to translate to “Subfolders and files only” and “Subfolders only”. Any ideas on how to enumerate “Applies to” from PowerShell?

You can’t. It’s a “feature” of windows explorer. In otherwords you’d have to create it yourself. It’s basically a “at this folder level this is what this ACE applies to”

I guess I should say you technically can. It directly ties to InheritanceFlags, IsInherited and propagationFlags but it gets a bit complicated

Can you think of any way to implement some WMI magic or something else as a workaround? I was really surprised when I first Googled this and found nothing. Seems like some PS genius would have solved this by now.

Regardless, thanks for the input.

The value is calculated on the fly by Windows Explorer, it’s not available in any dataset

Boo Microsoft. Thanks again.

I’ve not used it, but there is an NTFS Security module and the examples for the Get-NTFSAccess cmdlet show an ‘Applies to’ column.

Fantastic! Thank you very much!

I feel like I’m a little closer but still stuck. Get-NTFSAccess can report the “Applied to” data enumerated, but it’s not in any way exportable. I can’t find a way to write it to a variable as a string. I can’t even get the raw propagation flags. Any idea how I could get the “Applied to” setting back as a string?
$acl = Get-NTFSAccess -Path "C:"
$acl[0]

What’s the output of:

$acl | Get-Member

When posting code and output, please use the </> button to format it. If you can’t see the button on the toolbar, it will be under the gear icon.

Hello Matt, thanks for your help. I can’t imagine my response would be different from anyone else’s but to answer your question…

$acl | get-member

   TypeName: Security2.FileSystemAccessRule2

Name                          MemberType     Definition
----                          ----------     ----------
Equals                        Method         bool Equals(System.Object obj)
GetHashCode                   Method         int GetHashCode()
GetType                       Method         type GetType()
ToSimpleFileSystemAccessRule2 Method         Security2.SimpleFileSystemAccessRule ToSimpleFileSystemAccessRule2()
ToString                      Method         string ToString()
AccessControlType             Property       System.Security.AccessControl.AccessControlType AccessControlType {get;}
AccessRights                  Property       Security2.FileSystemRights2 AccessRights {get;}
Account                       Property       Security2.IdentityReference2 Account {get;}
FullName                      Property       string FullName {get;set;}
InheritanceEnabled            Property       bool InheritanceEnabled {get;set;}
InheritanceFlags              Property       System.Security.AccessControl.InheritanceFlags InheritanceFlags {get;}
InheritedFrom                 Property       string InheritedFrom {get;set;}
IsInherited                   Property       bool IsInherited {get;}
Name                          Property       string Name {get;}
PropagationFlags              Property       System.Security.AccessControl.PropagationFlags PropagationFlags {get;}
AccountType                   ScriptProperty System.Object AccountType {get=if (-not [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.ToLower().…

Looks slightly different than Get-Acl output. The data you want is likely in AccessRights, so $acl.AccessRights

I had a look at the source code for the module and that column is generated dynamically by the formatter - it’s not actually a property of the object that’s returned.
Looking at the source code, we can see it’s generated by this method call

[Security2.FileSystemSecurity2]::ConvertToApplyTo($_.InheritanceFlags, $_.PropagationFlags)

in NTFSSecurity.format.ps1xml

Using that knowledge, we can define a type extension for the session that adds the information as a property to the object, allowing export:

$Script = '[Security2.FileSystemSecurity2]::ConvertToApplyTo($this.InheritanceFlags, $this.PropagationFlags)'

$TypeData = @{
    TypeName   = 'Security2.FileSystemAccessRule2' 
    MemberName = 'AppliesTo'
    MemberType = 'ScriptProperty'
    Value      = [scriptblock]::Create($Script)
}

Update-TypeData @TypeData

Get-NTFSAccess E:\Temp | Select-Object Account, AccessRights, AppliesTo, AccessControlType
4 Likes

Now that’s sexy. Well done Matt.

1 Like

Unbelievably awesome! Thank you very much!