PowerShell: Remove all permissions on a directory for all users

Question

I have to remove all permissions on a directory (and its subdirectories and files) for all ordinary users (i.e. non-administrators).

I have tried to the following in PowerShell, but nothing happened:

New-Item "C:\Test" -type Directory
$acl=get-acl "C:\Test"
$inherit=[system.security.accesscontrol.InheritanceFlags]"ContainerInherit,ObjectInherit"
$propagation=[system.security.accesscontrol.Propagation]"None"
$ar=New-Object system.security.accesscontrol.FileSystemAccessRule("Users","FullControl",$inherit,$propagation,"Allow")
$acl.RemoveAccessRuleAll($ar)
Set-Acl "C:\Test" $acl

If I try with $env:computername\Users (instead of just Users) I get the following error: Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated."

What identity do I have to pass in order to identify all users?

Answer 1

This will do it:

function AddNTFSPermissions($path, $object, $permission) {
    $FileSystemRights = [System.Security.AccessControl.FileSystemRights]$permission
    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]"None"
    $AccessControlType =[System.Security.AccessControl.AccessControlType]::Allow
    $Account = New-Object System.Security.Principal.NTAccount($object)
    $FileSystemAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $FileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType)
    $DirectorySecurity = Get-ACL $path
    $DirectorySecurity.AddAccessRule($FileSystemAccessRule)
    Set-ACL $path -AclObject $DirectorySecurity
}

function RemoveNTFSPermissions($path, $object, $permission) {
    $FileSystemRights = [System.Security.AccessControl.FileSystemRights]$permission
    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]"None"
    $AccessControlType =[System.Security.AccessControl.AccessControlType]::Allow
    $Account = New-Object System.Security.Principal.NTAccount($object)
    $FileSystemAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $FileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType)
    $DirectorySecurity = Get-ACL $path
    $DirectorySecurity.RemoveAccessRuleAll($FileSystemAccessRule)
    Set-ACL $path -AclObject $DirectorySecurity
}

function RemoveInheritance($path) {
    $isProtected = $true
    $preserveInheritance = $true
    $DirectorySecurity = Get-ACL $path
    $DirectorySecurity.SetAccessRuleProtection($isProtected, $preserveInheritance)
    Set-ACL $path -AclObject $DirectorySecurity
}

# Create folder
$Path = "C:\Test"
New-Item $Path -Type Directory

# Remove permissions
RemoveInheritance $Path
RemoveNTFSPermissions $Path "Authenticated Users" "Modify, ChangePermissions"
RemoveNTFSPermissions $Path "Users" "Modify, ChangePermissions"

Answer 2

First do you really try with :

$($env:computername\Users)

Can you try :

$(WinNT://WORKGROUP/$env:computername/Utilisateurs)

Have a look to :

$obj = [ADSI]"WinNT://$env:COMPUTERNAME"
$obj.children | where {$_.name -eq "users"} | fl *