powershell remove all permissions on a folder for a specific user

52,895

Solution 1

 $acl=get-acl c:\temp
 $accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("domain\user","Read",,,"Allow")
 $acl.RemoveAccessRuleAll($accessrule)
 Set-Acl -Path "c:\temp" -AclObject $acl

this should wipe all security rules for user in c:\temp recursively

Solution 2

i think the simpler way to do this is to copy acl from a file or folder that have the correct permissions and apply it to the folder where you want specific access. example:

$acl= get-acl /path/to/file_with_correct acl 
$files = get-childItem c:\temp\*.* -recurce | set-acl -aclobject $acl -whatif

remove the -whatif parameter to effectively modify acl

Or follow this technet article and use a code like :

$Right = [System.Security.AccessControl.FileSystemRights]::Read
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly  
$objType = [System.Security.AccessControl.AccessControlType]::Allow 

$objUser = New-Object System.Security.Principal.NTAccount("domain\bob") 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
    ($objUser, $Right, $InheritanceFlag, $PropagationFlag, $objType) 
$objACL = Get-ACL "d:\test" 
$objACL.RemoveAccessRuleAll($objACE) 
Set-ACL "d:\test" -AclObject $objACL
Share:
52,895
gaponte69
Author by

gaponte69

Updated on April 15, 2021

Comments

  • gaponte69
    gaponte69 over 2 years

    I need a script or simple powershell code for removing all permissions to a folder for specific user, by inheriting these deletion to all the subfolders and files as well - recursively... Thank you in advance!

  • gaponte69
    gaponte69 almost 11 years
    Thank you Kayasax for the reply, but coukld you please give an example, if lets say from D:\Test path-location, I need to remove all permissions to this folder for user with name bob...
  • gaponte69
    gaponte69 almost 11 years
    example: $acl= get-acl D:\Test $files= get-childItem $acl -recurce | set-acl -aclobject $acl -whatif.....and where I'm specifying the object for the user?! where i have to write user bob and where im defining that im removing the permissions...
  • gaponte69
    gaponte69 almost 11 years
    Hi Kayasax, im getting the error below on executing this ps1:
  • gaponte69
    gaponte69 almost 11 years
    New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "5". At line:7 char:21 + $objACE = New-Object <<<< System.Security.AccessControl.FileSystemAccessRule ` + CategoryInfo : InvalidOperation: (:) [New-Object], MethodException + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Comman‌​ds.NewObjectCommand
  • gaponte69
    gaponte69 almost 11 years
    Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Value cannot be null. Parameter name: rule" At line:10 char:28 + $objACL.RemoveAccessRuleAll <<<< ($objACE) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException
  • Loïc MICHEL
    Loïc MICHEL almost 11 years
    line edited : $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $Right, $InheritanceFlag, $PropagationFlag, $objType)
  • gaponte69
    gaponte69 almost 11 years
    ok progress is there, no error, but no access has been delete, shall i update the first row from $Right = [System.Security.AccessControl.FileSystemRights]"Read" to $Right = [System.Security.AccessControl.FileSystemRights]"Full" so my question is to remove all the give permision to that users, and recursively to all the subfolders/files to that path...thank you very much..highly appreciated
  • gaponte69
    gaponte69 almost 11 years
    Hi Kayasax, thanks one more time for the support. It help this last code, but not removing recursively?! Could you please review it once again..thanks in advance!
  • Loïc MICHEL
    Loïc MICHEL almost 11 years
    really ? this has done the trick on my workstation... you can try ls c:\temp -recurse |set-acl -aclObject $acl
  • gaponte69
    gaponte69 almost 11 years
    you mean trying like this: $acl=get-acl c:\temp $accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("domain\u‌​ser","Read",,,"Allow‌​") $acl.RemoveAccessRuleAll($accessrule) ls C:\temp -recurse | set-acl -aclObject $acl
  • gaponte69
    gaponte69 almost 11 years
    It seems with the last code is working perfectly...it takes much longer-normally, but seems fine...and for giving roles except full controll and special permission to one user, we can use the same logic...$acl=get-acl c:\temp $accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("domain\u‌​ser","Read",,,"Allow‌​‌​") $acl.RemoveAccessRuleAll($accessrule) ls C:\temp -recurse | set-acl -aclObject $acl , we should use AddAccessRule instead of removeaccessrule all...so it should look like?
  • Aditya Bokade
    Aditya Bokade over 6 years
    I got "Set-Acl : Attempted to perform an unauthorized operation." I am running as administrator. Please help.
  • Loïc MICHEL
    Loïc MICHEL over 6 years
    @AdityaBokade try to take ownership prior to set acl (use takeown.exe )
  • Aditya Bokade
    Aditya Bokade over 6 years
    @LoïcMICHEL One Help Plz. I have created PS Script to create web app on local IIS. On TFS build I created step to run the PS. Upon build it says script executed successfully, but it won't. What could be the reason? stackoverflow.com/questions/43384496/…
  • Jari Turkia
    Jari Turkia about 3 years
    None of this works for .Net Core. Using Set-Acl needs to be done very carefully as it will set the entire security descriptor. SetAccessControl is a smarter choice.