Remove a user from ACL completely using PowerShell

powershell access-control-list

I wish to remove a user from folder permissions using PowerShell. I have found plenty of examples on how to remove the user permissions but I actually want to remove the user entirely.

The equivalent would be to the do the following in Windows Explorer: 1. Right click folder and select Properties. 2. Click Security tab 3. Click Edit 4. Highlight user or group. 5. Click Remove

It is the clicking of remove that I'm trying to mimic in PowerShell.

Thanks in advance.


Solution 1:

As Simon suggested, the following commands will achieve what you're looking for to just remove a specific user or group.

Using the NTFSSecurity module (https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85)

Remove-NTFSAccess -AccessRights FullControl -Account DOMAIN\Group -Path c:\temp -AccessType Deny -AppliesTo ThisFolderSubfoldersAndFiles
Remove-NTFSAccess -AccessRights FullControl -Account DOMAIN\Group -Path c:\temp -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles

I wrote a little script to remove all security groups from a folder except groups I explicitly excluded.

$path = "C:\Path\To\Folder"
$users = @{}

$users = Get-NTFSAccess $path | Where-Object {$_.Account -ne "DOMAIN\Exclude"} | Select-Object Account

foreach ($user in $users) {
    $removalAccount = $user.Account
    Write-Host "Removing account - $($removalAccount)"
    Remove-NTFSAccess -Path $path -Account $removalAccount -AccessRights FullControl -AccessType Allow
    Remove-NTFSAccess -Path $path -Account $removalAccount -AccessRights FullControl -AccessType Deny    
}

Solution 2:

Generally speaking, a combination of Get-Acl and Set-Acl should be able to accomplish what you need. However, Get-Acl has an annoying limitation that can manifest as being unable to write the modified ACL back using Set-Acl due to insufficient permissions (unless you have rights to also change ownership). More info on that problem can be found in this SO question.

In any case, for filesystem permissions you can work around Get-Acl's limitation by using a method from the object returned by Get-Item instead.

$acl = (Get-Item C:\myfolder).GetAccessControl('Access')

If you examine the $acl.Access property of the returned object, you'll find that it's a collection of FileSystemAccessRule objects (a.k.a. ACE objects). Ultimately, you want to find the subset of those ACEs that match the user you're trying to remove and also ignore any that are inherited. You can't actually remove inherited ACEs and even Windows Explorer will tell you as much if you try and remove them using the GUI. In any case, here's how you might get that subset of ACEs.

$acesToRemove = $acl.Access | ?{ $_.IsInherited -eq $false -and $_.IdentityReference -eq 'MYCOMPUTER\myuser' }

Now that you have the ACEs to remove, you just need to remove them from your original ACL and write it back to the folder.

$acl.RemoveAccessRuleAll($acesToRemove)
Set-Acl -AclObject $acl C:\myfolder\

Related

OpenVPN client on Windows 7 - cannot add route from config script
Are there any tools to do change management with Active Directory / Group Policy?
SQL Server: Memory Usage High (7GB) + Page File Usage High (7GB) but CPU Usage (2% to10%) [duplicate]
Connect to WEP Wireless Network by command line on Ubuntu
Automatically run PowerShell script at first boot
Pushing IP routes to various VPN clients
Why does doing large deletes, copies, moves on my ZFS NAS block all other IOs?
How to match selinux rules/transitions/labels/etc to modules
How do I cleanly remove ruby 1.8.7 from CentOS 5?
Hazards of increasing network size by changing the netmask
how to forward wlan0 to eth0?
High load without explanation