I feel like this is a pretty dumb question but I’m completely stumped. I have a script to generate an ACL report but there’s one property I’m stuck on - Applies to. It looks like it “should” be the PropagationFlags property from Get-ACL but I can’t make sense of it. Often times, PropagationFlags is empty (None) when it’s “This folder, subfolders and files” or “This folder and subfolders”. A flag of “InheritOnly” seams to translate to “Subfolders and files only” and “Subfolders only”. Any ideas on how to enumerate “Applies to” from PowerShell?
You can’t. It’s a “feature” of windows explorer. In otherwords you’d have to create it yourself. It’s basically a “at this folder level this is what this ACE applies to”
I guess I should say you technically can. It directly ties to InheritanceFlags, IsInherited and propagationFlags but it gets a bit complicated
Can you think of any way to implement some WMI magic or something else as a workaround? I was really surprised when I first Googled this and found nothing. Seems like some PS genius would have solved this by now.
Regardless, thanks for the input.
The value is calculated on the fly by Windows Explorer, it’s not available in any dataset
Boo Microsoft. Thanks again.
I’ve not used it, but there is an NTFS Security module and the examples for the Get-NTFSAccess
cmdlet show an ‘Applies to’ column.
Fantastic! Thank you very much!
I feel like I’m a little closer but still stuck. Get-NTFSAccess can report the “Applied to” data enumerated, but it’s not in any way exportable. I can’t find a way to write it to a variable as a string. I can’t even get the raw propagation flags. Any idea how I could get the “Applied to” setting back as a string?
$acl = Get-NTFSAccess -Path "C:"
$acl[0]
What’s the output of:
$acl | Get-Member
When posting code and output, please use the </> button to format it. If you can’t see the button on the toolbar, it will be under the gear icon.
Hello Matt, thanks for your help. I can’t imagine my response would be different from anyone else’s but to answer your question…
$acl | get-member
TypeName: Security2.FileSystemAccessRule2
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToSimpleFileSystemAccessRule2 Method Security2.SimpleFileSystemAccessRule ToSimpleFileSystemAccessRule2()
ToString Method string ToString()
AccessControlType Property System.Security.AccessControl.AccessControlType AccessControlType {get;}
AccessRights Property Security2.FileSystemRights2 AccessRights {get;}
Account Property Security2.IdentityReference2 Account {get;}
FullName Property string FullName {get;set;}
InheritanceEnabled Property bool InheritanceEnabled {get;set;}
InheritanceFlags Property System.Security.AccessControl.InheritanceFlags InheritanceFlags {get;}
InheritedFrom Property string InheritedFrom {get;set;}
IsInherited Property bool IsInherited {get;}
Name Property string Name {get;}
PropagationFlags Property System.Security.AccessControl.PropagationFlags PropagationFlags {get;}
AccountType ScriptProperty System.Object AccountType {get=if (-not [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.ToLower().…
Looks slightly different than Get-Acl output. The data you want is likely in AccessRights, so $acl.AccessRights
I had a look at the source code for the module and that column is generated dynamically by the formatter - it’s not actually a property of the object that’s returned.
Looking at the source code, we can see it’s generated by this method call
[Security2.FileSystemSecurity2]::ConvertToApplyTo($_.InheritanceFlags, $_.PropagationFlags)
in NTFSSecurity.format.ps1xml
Using that knowledge, we can define a type extension for the session that adds the information as a property to the object, allowing export:
$Script = '[Security2.FileSystemSecurity2]::ConvertToApplyTo($this.InheritanceFlags, $this.PropagationFlags)'
$TypeData = @{
TypeName = 'Security2.FileSystemAccessRule2'
MemberName = 'AppliesTo'
MemberType = 'ScriptProperty'
Value = [scriptblock]::Create($Script)
}
Update-TypeData @TypeData
Get-NTFSAccess E:\Temp | Select-Object Account, AccessRights, AppliesTo, AccessControlType
Now that’s sexy. Well done Matt.
Unbelievably awesome! Thank you very much!