Click here to Skip to main content
15,303,573 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi All,

Below code which I have for removing special NTFS permission

This code is working fine for the ROOT folder (e.g. in my case C:\IBM), but it not removing the same for the subfolder under this. Please let me know what is issue here

If there is any other way also please do suggest.

What I have tried:

PowerShell
#$PathFile = Get-Content -Path 'C:\ServerFilePath.txt'
$Array = @()
#foreach($paths in $PathFile)
#{
$path = "C:\IBM"
$acl = get-acl $path


##Remove Inheritance from Top Folders and Child Objects

Foreach($folder in $path) { 
#takeown /R /F $path

icacls $folder /reset /t /c /l /q
#icacls $folder /inheritance:d
# Get-ChildItem -Path $folder -Recurse | ?{$_.PSisContainer} | foreach {$subfolder = $_.FullName; icacls $subfolder icacls $folder /reset /t /c /l /q}
}


#sleep -Seconds 10

$acl = get-acl $path


##Remove Inheritance from Top Folders and Child Objects
#Foreach($folder in $path) { 
#takeown /R /F $path
#icacls $folder /reset /t /c /l /q
# icacls $folder /inheritance:d
# Get-ChildItem -Path $folder -Recurse | ?{$_.PSisContainer} | foreach {$subfolder = $_.FullName; icacls $subfolder icacls $folder /reset /t /c /l /q}
#}



# Check the existing rights
$acl.Access | where IdentityReference -Like 'BUILTIN\Users'

# Get a list of the rules to remove
$rules = $acl.access | Where-Object { 
    $_.IsInherited -and 
    $_.IdentityReference -like 'BUILTIN\Users' -and
    $_.FileSystemRights -in 'CreateFiles'
}

$acl.SetAccessRuleProtection($true,$true)


# Remove those rules from the ACL object 
ForEach($rule in $rules) {
    
    $acl.RemoveAccessRule($rule)
    #icacls $folder /inheritance:d
}


# Check that the remaining rules look good:
$recheckpermissions = $acl.Access

# Finally, set the ACL

Set-Acl -Path $path -AclObject $acl


#}
Posted
Updated 10-Aug-21 7:17am
v2
Comments
Richard MacCutchan 10-Aug-21 3:28am
   
Try a single command to change the sub folder and see what result you get.

1 solution

You are disabling inheritance on every folder in the path. Each subfolder will have its own set of ACLs, which will potentially be different to the ACL on its parent.

You then modify the ACL on the root directory. Since you've disabled inheritance, this change won't apply to the subfolders. You would need to loop through every subfolder and update its ACL to match.

It sounds like you actually want to enable inheritance, so that all subfolders have the same ACL as the root. To do that, use:
PowerShell
icacls $folder /reset /t /c /l /q
icacls | Microsoft Docs[^]
   
Comments
Empty Coder 10-Aug-21 12:38pm
   
Hi Richard, Thanks for the response. the command which you mentioned, how you want me to use it..? like "icacls $subfolder /inheritance:d" in place of this..?
Richard Deeming 10-Aug-21 13:15pm
   
Where you currently have icacls $folder /inheritance:d.

You can remove the Get-ChildItem line from that loop, since the new icacls command will already process all subfolders.
Empty Coder 10-Aug-21 13:18pm
   
Richard, i tried the way you mentioned. updated my code in question. it is showing the inherited from in the folder access but not removing the permission. I tried with $_.FileSystemRights -in 'CreateFiles' and "AppendData" both
Richard Deeming 11-Aug-21 3:07am
   
You need to understand how NTFS permissions work before you start trying to write code to modify them.

Your original code was disabling inheritance, so that every subfolder had it's own ACL, completely separate from the parent folder's ACL.

Your requirement appears to be that you reset the permissions on all subfolders to inherit the permissions from the parent, and then modify the ACL on the parent.

Replacing the /inheritance:d with /reset /t /c /l /q will reset the subfolder permissions to inherit from the parent. You then need to remove the unwanted permissions from the ACL on the parent.
Empty Coder 11-Aug-21 2:54am
   
Richard can you please help me on this.
Richard Deeming 11-Aug-21 3:05am
   
Have a little patience! You posted your previous comment at around 6PM, and this "hurry up and help me" comment before 8AM.

I guess the volunteers who help people here aren't allowed to sleep?
Empty Coder 11-Aug-21 11:09am
   
Sorry for that but didn't mean that way. thanks

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900