Powershell – Remove a user from ACL completely using PowerShell

access-control-listpowershell

I wish to remove a user from folder permissions using PowerShell. I have found plenty of examples on how to remove the user permissions but I actually want to remove the user entirely.

The equivalent would be to the do the following in Windows Explorer:
1. Right click folder and select Properties.
2. Click Security tab
3. Click Edit
4. Highlight user or group.
5. Click Remove

It is the clicking of remove that I'm trying to mimic in PowerShell.

Thanks in advance.

Best Answer

As Simon suggested, the following commands will achieve what you're looking for to just remove a specific user or group.

Using the NTFSSecurity module (https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85)

Remove-NTFSAccess -AccessRights FullControl -Account DOMAIN\Group -Path c:\temp -AccessType Deny -AppliesTo ThisFolderSubfoldersAndFiles
Remove-NTFSAccess -AccessRights FullControl -Account DOMAIN\Group -Path c:\temp -AccessType Allow -AppliesTo ThisFolderSubfoldersAndFiles

I wrote a little script to remove all security groups from a folder except groups I explicitly excluded.

$path = "C:\Path\To\Folder"
$users = @{}

$users = Get-NTFSAccess $path | Where-Object {$_.Account -ne "DOMAIN\Exclude"} | Select-Object Account

foreach ($user in $users) {
    $removalAccount = $user.Account
    Write-Host "Removing account - $($removalAccount)"
    Remove-NTFSAccess -Path $path -Account $removalAccount -AccessRights FullControl -AccessType Allow
    Remove-NTFSAccess -Path $path -Account $removalAccount -AccessRights FullControl -AccessType Deny    
}

Related Solutions

File ownership for new files with administrator – why is it giving ownership to the group administrators

Update: This GP setting is no longer available starting with Vista/Server 2008. https://support.microsoft.com/en-us/kb/947721

A Group Policy setting is not available in the security policy settings list on a computer that is running Windows Server 2008
SYMPTOMS
When you try to access the "System objects: Default owner for objects created by members of the Administrators group" Group Policy setting on a computer that is running Windows Vista or newer, this setting is not available in the security policy settings list. When the setting is present in your security group policy, it will be ignored by Windows Vista and newer domain members.
CAUSE
Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 do not support this setting any longer. When enabled, User Account Control (UAC) will ensure the user account is being used as owner for all objects created locally. For remote access, the administrators group will be used there is no restricted token for network sessions.

Since the support for the setting was removed, the system security policy "System objects: Default owner for objects created by members of the Administrators group" setting is not available in the Security Templates user interface anymore.

Have a look in Group Policy for the setting "System objects: Default owner for objects created by members of the Administrators group". It's located under:

Computer Configuration
- Windows Settings
  - Security Settings
    - Local Policies
      - Security Options

When this setting is enabled members of the "Administrators" group will have objects they create set with the owner "Administrators".

To be honest, I'm not immediately sure on Microsoft's rationale for this behaviour, except to say that it would allow for a common ability to reset permissions on objects w/o taking ownership by all "Administrators". I'd guess that was the intent. I'd be interested to see if anybody has a link to an explicit statement of purpose on this setting from Microsoft.

I noticed that this setting's default differs between Windows XP and Windows Server 2003 (here's an article from Microsoft on it http://support.microsoft.com/kb/318825), but I still don't see a statement of purpose behind why you would want things set one way versus the other.

Windows – Fixing “This access control list is not in canonical form” errors from the command line

I was finally able to figure an automated fix for this. When you call PowerShell's Set-Acl cmdlet, it will re-order the ACLs correctly:

$path = C:\Path\To\Item\With\Borked\ACL
$acl = Get-Acl $path
Set-Acl $path $acl

Of course, it could be a parent of the directory that is messed up, so you should do some traversing to find the culprit. Use icacls C:\Path\To\Item\With\Suspect\CL /verify to figure out if something needs repair.

In our environment, Cygwin is the likely culprit: when it creates directories, it likes to give POSIX-style permissions on them, instead of relying on Windows to manage file system security.

Best Answer

Related Solutions

File ownership for new files with administrator – why is it giving ownership to the group administrators

Windows – Fixing “This access control list is not in canonical form” errors from the command line

Related Topic