$acl = get-acl thefile $sddl_orig = $acl.sddl $new_sddl = $sddl_orig -replace 'S-1-oldsid' 'S-1-newsid' $acl.SetSecurityDescriptorSddlForm($new_sddl) $acl | set-aclYes, this can be condensed to a single line, but as far as I can google, nobody has it:
gci | get-acl | foreach { $_.setsecuritydescriptorsddlform($_.sddl.replace('S-1-oldsid','S-1-newsid'))} | set-acl
