PowerShell Scripts, Tips, Expert Advices, Forums, and Resources

image rotation

Welcome to PowerShell.com, the educational and community site for Windows PowerShell People. Get a quick overview.

Latest Scripts

12-18-2014 - users
12-16-2014 - Get-RegistryTimestamp
12-15-2014 - Get-ComPath

Latest Announcements/Events

10-31-2014 - Using PowerShell to download Teched Europe 2014 content
10-15-2014 - Class Dismissed
10-12-2014 - The Case for PowerShell

As a Powershell.com member you will have access to:

  • Daily PowerShell tips written by Microsoft MVPs and other leading Windows PowerShell experts
  • Free Windows PowerShell advice and training provided by Microsoft MVPs and other leading Windows PowerShell experts
  • Access to leading Windows PowerShell blogs
  • A free ebook, Mastering PowerShell, written by Microsoft MVP Dr. Tobias Weltner
PowerTip of the Day

Replacing NTFS Permissions with SDDL Information

All PowerShell versions

With Get-Acl, you can output the security information from files and folders as plain text in SDDL format (Security Descriptor Definition Language):

$FolderToRead = 'C:\folder1'

$securityDescriptor = Get-Acl -Path $FolderToRead
$securityDescriptor.GetSecurityDescriptorSddlForm('All') 

You could pipe the SDDL to the clipboard, and then paste it into another script:

$FolderToRead = 'C:\folder1'

$securityDescriptor = Get-Acl -Path $FolderToRead
$securityDescriptor.GetSecurityDescriptorSddlForm('All') | clip.exe 

Add the SDDL to a script like this, for example (note that SDDL is always one line. So do not add line breaks):

$sddl = 'O:S-1-5-21-2649034417-1209187175-3910605729-1000G:S-1-5-21-2649034417-1209187175-3910605729-513D:(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)'


$FolderToConfigure = 'C:\folder2'

$securityDescriptor = Get-Acl -Path $FolderToConfigure
$securityDescriptor.SetSecurityDescriptorSddlForm($sddl)
Set-Acl -Path $FolderToConfigure -AclObject $securityDescriptor 

By inserting SDDL into a script, you no longer need the template folder that you used to generate the SDDL. You can now apply the security information to other file system objects, set basic NTFS permissions, or change the SDDL before you apply it.

To provide you with some inspiration, in a domain migration scenario, you could, for example, create a translation table that translates old SIDs with new SIDs. Then, replace the old SIDs in the SDDL with the new SIDs, and clone the recorded security information to objects in a new (or test) domain.

Twitter This Tip! ReTweet this Tip!

Copyright 2012 PowerShell.com. All rights reserved.