powershell remove all permissions on a folder for a specific user
52,895
Solution 1
$acl=get-acl c:\temp
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("domain\user","Read",,,"Allow")
$acl.RemoveAccessRuleAll($accessrule)
Set-Acl -Path "c:\temp" -AclObject $acl
this should wipe all security rules for user in c:\temp recursively
Solution 2
i think the simpler way to do this is to copy acl from a file or folder that have the correct permissions and apply it to the folder where you want specific access. example:
$acl= get-acl /path/to/file_with_correct acl
$files = get-childItem c:\temp\*.* -recurce | set-acl -aclobject $acl -whatif
remove the -whatif parameter to effectively modify acl
Or follow this technet article and use a code like :
$Right = [System.Security.AccessControl.FileSystemRights]::Read
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$objType = [System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("domain\bob")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $Right, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "d:\test"
$objACL.RemoveAccessRuleAll($objACE)
Set-ACL "d:\test" -AclObject $objACL
Author by
gaponte69
Updated on April 15, 2021Comments
-
gaponte69 over 2 years
I need a script or simple powershell code for removing all permissions to a folder for specific user, by inheriting these deletion to all the subfolders and files as well - recursively... Thank you in advance!
-
gaponte69 almost 11 yearsThank you Kayasax for the reply, but coukld you please give an example, if lets say from D:\Test path-location, I need to remove all permissions to this folder for user with name bob...
-
gaponte69 almost 11 yearsexample: $acl= get-acl D:\Test $files= get-childItem $acl -recurce | set-acl -aclobject $acl -whatif.....and where I'm specifying the object for the user?! where i have to write user bob and where im defining that im removing the permissions...
-
gaponte69 almost 11 yearsHi Kayasax, im getting the error below on executing this ps1:
-
gaponte69 almost 11 yearsNew-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "5". At line:7 char:21 + $objACE = New-Object <<<< System.Security.AccessControl.FileSystemAccessRule ` + CategoryInfo : InvalidOperation: (:) [New-Object], MethodException + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
-
gaponte69 almost 11 yearsException calling "RemoveAccessRuleAll" with "1" argument(s): "Value cannot be null. Parameter name: rule" At line:10 char:28 + $objACL.RemoveAccessRuleAll <<<< ($objACE) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException
-
Loïc MICHEL almost 11 yearsline edited :
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $Right, $InheritanceFlag, $PropagationFlag, $objType)
-
gaponte69 almost 11 yearsok progress is there, no error, but no access has been delete, shall i update the first row from $Right = [System.Security.AccessControl.FileSystemRights]"Read" to $Right = [System.Security.AccessControl.FileSystemRights]"Full" so my question is to remove all the give permision to that users, and recursively to all the subfolders/files to that path...thank you very much..highly appreciated
-
gaponte69 almost 11 yearsHi Kayasax, thanks one more time for the support. It help this last code, but not removing recursively?! Could you please review it once again..thanks in advance!
-
Loïc MICHEL almost 11 yearsreally ? this has done the trick on my workstation... you can try
ls c:\temp -recurse |set-acl -aclObject $acl
-
gaponte69 almost 11 yearsyou mean trying like this: $acl=get-acl c:\temp $accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("domain\user","Read",,,"Allow") $acl.RemoveAccessRuleAll($accessrule) ls C:\temp -recurse | set-acl -aclObject $acl
-
gaponte69 almost 11 yearsIt seems with the last code is working perfectly...it takes much longer-normally, but seems fine...and for giving roles except full controll and special permission to one user, we can use the same logic...$acl=get-acl c:\temp $accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("domain\user","Read",,,"Allow") $acl.RemoveAccessRuleAll($accessrule) ls C:\temp -recurse | set-acl -aclObject $acl , we should use AddAccessRule instead of removeaccessrule all...so it should look like?
-
Aditya Bokade over 6 yearsI got "Set-Acl : Attempted to perform an unauthorized operation." I am running as administrator. Please help.
-
Loïc MICHEL over 6 years@AdityaBokade try to take ownership prior to set acl (use takeown.exe )
-
Aditya Bokade over 6 years@LoïcMICHEL One Help Plz. I have created PS Script to create web app on local IIS. On TFS build I created step to run the PS. Upon build it says script executed successfully, but it won't. What could be the reason? stackoverflow.com/questions/43384496/…
-
Jari Turkia about 3 yearsNone of this works for .Net Core. Using
Set-Acl
needs to be done very carefully as it will set the entire security descriptor.SetAccessControl
is a smarter choice.