PowerShell script to remove permissions inheritance from a folder then remove Users group access to it

I wanted to remove the Users group from having access to multiples folders. Using PowerShell I was unable to initially remove the Users group, and a quick attempt via the GUI confirmed why – it was inheriting permissions from its parent, C:\ drive:

20150428110701

The greyed out permissions above are due to them being inherited from the parent container. Trying to remove the Users group generated the warning below:

20150427202531

To turn off the option for inheriting permissions is a very basic admin task via the GUI, however, I wanted to do this via PowerShell as my ultimate goal was to write a script to remove permissions inheritance from multiple folders. So a quick google found this link, which I used to create the simple script below:

$folder = 'C:\Test'
$acl = Get-ACL -Path $folder
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl

Note: More information about SetAccessRuleProtection and its parameters can be found here.

The above performed two actions, it removed inheritance on the folder but also preserved the same permissions. This is the equivalent of selecting the Users group in the Advanced Security Settings tab, then un-checking Include inheritable permissions from this object’s parent, per the below:

20150428010905

This will generate the following prompt, then clicking Add retains the same permissions:

20150428010952

The PowerShell code to remove the Users group from NTFS permissions access to this folder is:

$objUser = New-Object System.Security.Principal.NTAccount("BUILTIN\USERS")
$colRights = [System.Security.AccessControl.FileSystemRights]"CreateFiles, AppendData"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$folder = 'C:\Test'

#combine the variables into a single filesystem access rule
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)

#get the current ACL from the folder
$objACL = get-acl "$folder"

#remove the access permissions from the ACL variable
$objACL.removeaccessruleall($objACE)

#remove the permissions from the actual folder by re-applying the modified ACL
set-acl "$folder" $objACL

In the GUI, the result of the code above is the removal of the Users group from the Security tab:

20150428012354

So the full script is:

$objUser = New-Object System.Security.Principal.NTAccount("BUILTIN\USERS") 
$colRights = [System.Security.AccessControl.FileSystemRights]"CreateFiles, AppendData" 
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None 
$objType =[System.Security.AccessControl.AccessControlType]::Allow 
$folder = 'C:\Test'

#removes all inheritance for the folder
$acl = Get-ACL -Path $folder
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl

#combine the variables into a single filesystem access rule
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 

#get the current ACL from the folder
$objACL = get-acl "$folder"

#remove the access permissions from the ACL variable
$objACL.removeaccessruleall($objACE)

#remove the permissions from the actual folder by re-applying the modified ACL
set-acl "$folder" $objACL

Thank-you for reading, I hope this information will be useful to you.

  • fatman45

    This is great – just what I was looking for! But how did you resolve the initial problem, i.e., recursively removing permissions from a bunch of folders? I need to loop through a collection and remove permissions for only folders with a specific name.

  • Ramkar Ummo

    Hi japinator.
    Thanks for this great example on how to set NTFS permissions.
    I am actually using it because ICACLS is not working for me and I need to remove specific permissions for a bunch of folders in a network share.
    I have put your code in a script that reads a file containing a list of paths. I am having an issue when issuing the cmdlet:
    Set-Acl -Path $pathToFix -AclObject $acl

    Where the variable is holding the path in the array in a correct form as dsiplayed by a Write-Host statment jut before (i.e.: \sharenamehomedirs01samaccountname). It just gets stuck not doing anything, no progress at all.

    Do you have an idea why?

    • http://www.vsysad.com japinator

      Hi Ramkar, without testing the script myself it will be difficult to determine the cause of your problem. Have you tried running your script on a local folder as a test? If not please try and confirm what happens.