Ace'ing ACLs

By Josh Corrick

Elevator Pitch

Discretionary Action Control Lists (DACLs) are a key part of the Security for NTFS and Active Directory. Creating scripts to add or update these permissions can become complicated fast if you do not know how to construct the rules. This talk will dive deep into the elements of DACLs and ACEs


One of the most unavoidable tasks of being an IT Pro is granting or taking away permissions to a system. Depending on the system this task can be either easy or tedious. One area I have personally had difficulty is in quickly adding permissions on a File Share, as well as automating the removal of access to an Active Directory OU. While these technologies may seem unrelated, they both share the same style of security controls called Discretionary Action Control Lists (DACLs). The tools provided for automating these in PowerShell are Get-ACL and Set-ACL, but these can be cumbersome to use without understanding how to build the proper Access Control Entries (ACE).

This talk will walk you through:
- The concepts of DACLs
- Types of elements needed for ACEs
- Tricks in creating rules to help you excel at routine changes


This will be a more fleshed-out presentation of my community lightning talk given last year at Summit. This talk will have a fair amount of explanation about the mechanics of DACLs, ACEs, and the strictly typed elements used by each. I intend to do demos for both File Systems and Active Directory, as well as talking about the Update-Acl function which I have created and will be improving for this talk.