Need to export ACL permissions from all the containers in each storage account i.e. Gen2. Any suggestions?
You can use the below command to export the ACL permissions from all containers in storage accounts.
Connect-AzAccount
$storageAccounts = Get-AzStorageAccount
$results = foreach ($storageAccount in $storageAccounts) {
$containers = Get-AzStorageContainer -Context $storageAccount.Context
foreach ($container in $containers) {
$filesystem = Get-AzDataLakeGen2Item -Context $storageAccount.Context -FileSystem $container.Name
$s = $storageAccount.storageaccountname
$r = $storageAccount.ResourceGroupName
$filesystemname = $container.Name
$aclpermission = $filesystem.ACL.Permissions -join ","
$aclaccesscontroltype=$filesystem.ACL.AccessControlType -join ","
[PSCustomObject]@{
StorageAccountName = $s
ResourceGroupName = $r
ContainerName = $filesystemname
ACLpermission = $aclpermission
ACLaccesscontroltype=$aclaccesscontroltype
}
}
}
$results | Export-Csv -Path "output.csv" -NoTypeInformation
The above script gets the all storageaccounts and containers it checks and fetch the ACL permissions and access controltype from the gen2 accounts.
Windows Access Control Lists (ACLs) are an essential feature for managing permissions and security in the Windows operating system. They provide a detailed mechanism for defining who can access or modify objects, such as files, folders, and registry keys, and what actions they are allowed to perform on these objects. Here’s a detailed overview of Windows ACLs:
Components of Windows ACLs
Files and Folders: Common objects that have ACLs.
Registry Keys: Specific keys within the Windows Registry.
Each object that can have permissions assigned to it has a security descriptor.
The security descriptor contains the ACL.
Access Control Entries (ACEs):
An ACL is made up of multiple ACEs.
ACEs can be allow or deny entries.
PowerShell Script Set ACL in NTFS
takeown /F "\\Server\Share\My Folder" /A
$ACL = Get-Acl -Path "\\Server\Share\My Folder"
$Account = New-Object System.Security.Principal.NTAccount("Builtin\Administrators")
$ACL.SetOwner($Account)
Set-Acl -Path "\\Server\Share\My Folder" -AclObject $ACL
Since MS wants to move everyone to Powershell I would assume that the Powershell way is preferred, but I vaguely remember seeing a situation where Set-Acl did not work but takeown did. Is there functionally a difference between these two ways and if so, which is the recommended method?
EDIT: if this question is better suited for StackOverflow I can move it there.
asked Dec 6, 2023 at 8:03
Tanaka Saito
5 gold badges11 silver badges24 bronze badges
takeown will also choke out on long path names like many cmd tools, but powershell can use extended-length paths like Get-Acl -LiteralPath \\?\C:\folder\file.txt
answered Dec 6, 2023 at 22:22
2 gold badges17 silver badges33 bronze badges
Set-Acl is a powershell command, and takeown is a Command Prompt command.
Command prompt commands also works in powershell, but their output is not structured to easily work with powershell.
Given you are using powershell, set-acl would be the preferred method to use.
answered Dec 6, 2023 at 8:53
10 gold badges101 silver badges146 bronze badges
Synopsis
Gets Certification Authority’s Access Control List (ACL).
Syntax
Get-CertificationAuthorityAcl [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Description
Gets Certification Authority’s Access Control List (ACL). This ACL controls the access level to the specified CA server.
Parameters
-CertificationAuthority <CertificateAuthority[]>
Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.
| Required? | True |
| Position? | 0 |
| Default value | |
| Accept pipeline input? | true (ByValue, ByPropertyName) |
| Accept wildcard characters? | False |
<CommonParameters>
Examples
Example 1
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CertificationAuthorityAcl
Retrievex current Access Control List from CA server installed on “ca01.company.com”.
Example 2
PS C:\> $ACE = @(New-Object SysadminsLV.PKI.Security.AccessControl.CertSrvAccessRule ([Security.Principal.NTAccount]"JohnWayne"), "ManageCA", "Allow") PS C:\> $ACE += New-Object SysadminsLV.PKI.Security.AccessControl.CertSrvAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCertificates", "Allow" PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CertificationAuthorityAcl | Add-CertificationAuthorityAcl -AccessRule $ACE | Set-CertificationAuthorityAcl -RestartCA
First two lines create new access control entries:
— first creates ACE for John Wayne and grants him CA manager permissions.
— second creates ACE for John Smith and grants him certificate manager permissions.
Third line retrieves current ACL from CA server, adds new access control entries and writes them to CA configuration. After command completion CA services will be restarted to immediately apply changes.
Example 3
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CertificationAuthorityAcl | Remove-CertificationAuthorityAcl -User "jsmith","JohnWayne" | Set-CertificationAuthorityAcl -RestartCA
This example retrieves current access control list from CA server installed on “ca01.company.com”, removes all permissions explicitly granted to John Smith and John Wayne and writes modified ACL to CA configuration.
After command completion CA services will be restarted to immediately apply changes.
Example 4
PS C:\> $ACE = New-Object SysadminsLV.PKI.Security.AccessControl.CertSrvAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCA", "Allow") PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CertificationAuthorityAcl | Remove-CertificationAuthorityAcl -User "jsmith" | Add-CertificationAuthorityAcl -AccessRule $ACE | Set-CertificationAuthorityAcl -RestartCA
Related links
Get-CertificationAuthority
Connect-CertificationAuthority
Add-CertificationAuthorityAcl
Remove-CertificationAuthorityAcl
Set-CertificationAuthorityAcl
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions
- Windows Server 2019 all editions
- Windows Server 2022 all editions
Here are some quick examples on configuring NTFS permissions using PowerShell. The first example is using the takeown.exe and icacls.exe commands driven by PowerShell, and the second example is using the takeown.exe and native Get-Acl and Set-Acl PowerShell cmdlets.
Credits: Thanks to Gary Blok for showing me the Get-Acl and Set-Acl PowerShell cmdlets.
Option #1 – Having PowerShell use takeown.exe and icacls.exe
# Configure folder to change permssions on
$Path = "C:\Demo"
# Optional - Backing up the Access Control Lists (ACLs)
& icacls.exe @($Path, "/save", "`"C:\Windows\Temp\NTFS.acl`"", "/T")
# Assign yourself as an owner of the folder
& takeown.exe @("/F", $Path, "/R")
# Grant the builtin administrators group full control permissions to the folder
& icacls.exe @($Path, "/grant", "`"BUILTIN\Administrators`":(F)", "/T")Option #2 – Combining takeown.exe and Native Get-Acl and Set-Acl cmdlets
# Configure folder to change permssions on
$Path = "C:\Demo"
# Assign yourself as an owner of the folder
& takeown.exe @("/F", $Path, "/R")
# Grant the builtin administrators group full control permissions to the folder
$ACL = Get-Acl -Path $Path
$AR = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators", "FullControl", "Allow")
$ACL.SetAccessRule($AR)
Set-Acl -Path $Path -AclObject $ACL
