powershell remove all permissions on a folder for a specific user

Question

I need a script or simple powershell code for removing all permissions to a folder for specific user, by inheriting these deletion to all the subfolders and files as well - recursively... Thank you in advance!

Answer 1

This function that I created will invoke the scriptBlock for you on the target machine to remove the permissions for a user.

function Remove-OGRemoteACL (){
<#
.SYNOPSIS
Invoke a script block on a target to remove ACL permissions

.DESCRIPTION
Invoke a script block on a target to change ACL permissions to remove the crazy delay GET-ACL can encounter.

.PARAMETER serverFQDN
the server that the script block is run on

.PARAMETER remotePath
the UNC path of the share to remove the permisions for the user from.

.PARAMETER userName
the user name of the domain user.

.EXAMPLE
Remove-OGRemoteACL -serverFQDN "bigserver.awesomedomain.net" -remotePath "\\bigserver.awesomedomain.net\my\amazingShare" -userName "awesomedomain\myuser"

.NOTES
    Name:       Remove-OGRemoteACL
    Author:     Richie Schuster - SCCMOG.com
    GitHub:     https://github.com/SCCMOG/PS.SCCMOG.TOOLS
    Website:    https://www.sccmog.com
    Contact:    @RichieJSY
    Created:    2023-03-14
    Updated:    -

    Version history:
    1.0.0 - 2023-03-14 Function Created
#>
[cmdletbinding()]
param (
    [parameter(Mandatory=$True,ValueFromPipeline=$true,Position=0)]
    [string]$serverFQDN,
    [parameter(Mandatory=$True,ValueFromPipeline=$true,Position=1)]
    [string]$remotePath,
    [parameter(Mandatory=$True,ValueFromPipeline=$true,Position=2)]
    [string]$userName
)
try{
    Write-Verbose "Invoking ACL removal commmand [Server: $($serverFQDN)] [userName: $($userName)] [Server: $($remotePath)]"
    Invoke-Command -ComputerName "$($serverFQDN)" -ScriptBlock { 
        $acl = Get-Acl $using:remotePath
        $usersid = New-Object System.Security.Principal.Ntaccount("$using:userName")
        $acl.PurgeAccessRules($usersid)
        $acl | Set-Acl $using:remotePath
    }
    Write-Verbose "Success invoking ACL removal commmand [Server: $($serverFQDN)] [userName: $($userName)] [Server: $($remotePath)]"
}
catch{
    Write-Error "Error - Failed invoking ACL removal commmand [Server: $($serverFQDN)] [userName: $($userName)] [Server: $($remotePath)]. Error: $($_.Exception.Message)"
}

}

Example:

Remove-OGRemoteACL -serverFQDN "bigserver.awesomedomain.net" -remotePath "\\bigserver.awesomedomain.net\my\amazingShare" -userName "awesomedomain\myuser" -Verbose

Answer 2

i think the simpler way to do this is to copy acl from a file or folder that have the correct permissions and apply it to the folder where you want specific access. example:

$acl= get-acl /path/to/file_with_correct acl 
$files = get-childItem c:\temp\*.* -recurce | set-acl -aclobject $acl -whatif

remove the -whatif parameter to effectively modify acl

Or follow this technet article and use a code like :

$Right = [System.Security.AccessControl.FileSystemRights]::Read
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly  
$objType = [System.Security.AccessControl.AccessControlType]::Allow 

$objUser = New-Object System.Security.Principal.NTAccount("domain\bob") 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
    ($objUser, $Right, $InheritanceFlag, $PropagationFlag, $objType) 
$objACL = Get-ACL "d:\test" 
$objACL.RemoveAccessRuleAll($objACE) 
Set-ACL "d:\test" -AclObject $objACL

Answer 3

 $acl=get-acl c:\temp
 $accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("domain\user","Read",,,"Allow")
 $acl.RemoveAccessRuleAll($accessrule)
 Set-Acl -Path "c:\temp" -AclObject $acl

this should wipe all security rules for user in c:\temp recursively