Remove a user from ACL completely using PowerShell

I wish to remove a user from folder permissions using PowerShell. I have found plenty of examples on how to remove the user permissions but I actually want to remove the user entirely.

The equivalent would be to the do the following in Windows Explorer: 1. Right click folder and select Properties. 2. Click Security tab 3. Click Edit 4. Highlight user or group. 5. Click Remove

It is the clicking of remove that I'm trying to mimic in PowerShell.

Thanks in advance.


Solution 1:

As Simon suggested, the following commands will achieve what you're looking for to just remove a specific user or group.

Using the NTFSSecurity module (https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85)

Remove-NTFSAccess -AccessRights FullControl -Account DOMAIN\Group -Path c:\temp -AccessType Deny -AppliesTo ThisFolderSubfoldersAndFiles
Remove-NTFSAccess -AccessRights FullControl -Account DOMAIN\Group -Path c:\temp -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles

I wrote a little script to remove all security groups from a folder except groups I explicitly excluded.

$path = "C:\Path\To\Folder"
$users = @{}

$users = Get-NTFSAccess $path | Where-Object {$_.Account -ne "DOMAIN\Exclude"} | Select-Object Account

foreach ($user in $users) {
    $removalAccount = $user.Account
    Write-Host "Removing account - $($removalAccount)"
    Remove-NTFSAccess -Path $path -Account $removalAccount -AccessRights FullControl -AccessType Allow
    Remove-NTFSAccess -Path $path -Account $removalAccount -AccessRights FullControl -AccessType Deny    
}

Solution 2:

Generally speaking, a combination of Get-Acl and Set-Acl should be able to accomplish what you need. However, Get-Acl has an annoying limitation that can manifest as being unable to write the modified ACL back using Set-Acl due to insufficient permissions (unless you have rights to also change ownership). More info on that problem can be found in this SO question.

In any case, for filesystem permissions you can work around Get-Acl's limitation by using a method from the object returned by Get-Item instead.

$acl = (Get-Item C:\myfolder).GetAccessControl('Access')

If you examine the $acl.Access property of the returned object, you'll find that it's a collection of FileSystemAccessRule objects (a.k.a. ACE objects). Ultimately, you want to find the subset of those ACEs that match the user you're trying to remove and also ignore any that are inherited. You can't actually remove inherited ACEs and even Windows Explorer will tell you as much if you try and remove them using the GUI. In any case, here's how you might get that subset of ACEs.

$acesToRemove = $acl.Access | ?{ $_.IsInherited -eq $false -and $_.IdentityReference -eq 'MYCOMPUTER\myuser' }

Now that you have the ACEs to remove, you just need to remove them from your original ACL and write it back to the folder.

$acl.RemoveAccessRuleAll($acesToRemove)
Set-Acl -AclObject $acl C:\myfolder\