Unexpected output from Get-ACL | Select Access

Question

Unexpected output from Get-ACL | Select Access

If I do not Select the Access property, then the contents are displayed as I desire. eg BUILTIN\\Administrators Allow FullControl .

But if I Select the Access property, some sort of object type ( System.Security.AccessControl.FileSystemAccessRule ) gets displayed instead:

PS C:\tmp> Get-Acl .\test | Format-List


Path   : Microsoft.PowerShell.Core\FileSystem::C:\tmp\test
Owner  : EXAMPLE\sjobs
Group  : EXAMPLE\Domain Users
Access : BUILTIN\Administrators Allow  FullControl
         BUILTIN\Administrators Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  268435456
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize
         NT AUTHORITY\Authenticated Users Allow  -536805376
Audit  :
Sddl   : REDACTED



PS C:\tmp> Get-Acl .\test | Select Access | Format-List


Access : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule,
     System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule...}

---

I'm more familiar with bash than PowerShell. But I understand that PowerShell tends to pass objects instead of strings.

Why do these two display Access differently?

More importantly, how do I display only the Access property as I desire?

Answer 1

If you look at the object type, it gives some clues.

PS C:\Users\jacob> $acl = get-acl

PS C:\Users\jacob> $acl.GetType()

IsPublic IsSerial Name                                     BaseType                                                                                              
-------- -------- ----                                     --------                                                                                              
True     False    DirectorySecurity                        System.Security.AccessControl.FileSystemSecurity                                                      

PS C:\Users\jacob> ($acl | select access).getType()

IsPublic IsSerial Name                                     BaseType                                                                                              
-------- -------- ----                                     --------                                                                                              
True     False    PSCustomObject                           System.Object  

With PSCustomObject you can access the property values using .psobject.Properties.value or . notation.

So if we isolate the acesss object $access = $acl | select access $access = $acl | select access and then access the property values we get the information we're after.

PS C:\Users\jacob> $access.PSObject.Properties.Value


FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : SURFACE\jacob
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

In one line:

get-acl .\test | select access | % { $_.PSObject.Properties.Value }

Or we can trim it down to

get-acl .\test | select access | % { $_.Access }

Or finally:

(get-acl .\test | select access).access