Maybe you need to remove some permission settings from NTFS permissions. Let's assume you want to remove all permissions for a specific user because the user left the department.
Note: Of course you can manage NTFS permissions per group, and setting permissions per user is typically not a good idea. Still, often permissions are set per user, and the following example script can not only remove such permissions but with minor adjustments also be used as an audit tool to find such permissions.
Here is a simple example script. Adjust $Path and $Filter. The script will then scan the folder $Path and all of its subfolders for access control entries that match the $Filter string. It will only process non-inherited ACEs.
The output states in red the ACEs that will be removed, and in green all ACEs that do not match the filter. If the script does not return anything, then there are no direct ACEs in the folder you scanned.
$Path = 'C:\somefolder $Filter = 'S-1-5-*' Get-ChildItem -Path C:\Obfuscated -Recurse -ErrorAction SilentlyContinue | ForEach-Object { $acl = Get-Acl -Path $Path $found = $false foreach($acc in $acl.access ) { if ($acc.IsInherited -eq $false) { $value = $acc.IdentityReference.Value if($value -like $Filter) { Write-Host "Remove $Value from $Path " -ForegroundColor Red $null = $ACL.RemoveAccessRule($acc) $found = $true } else { Write-Host "Skipped $Value from $Path " -ForegroundColor Green } } } if ($found) { # uncomment this to actually remove ACEs # Set-Acl -Path $Path -AclObject $acl -ErrorAction Stop } }
