Remove NTFS permission recursively from folder for specific user (permission inherited from root folder) RRS feed

  • Question

  • Guys I need your help to remove NTFS permission for specific user from folder. I have many folders under local drive and inside each folder there are millions of sub-folder and files, permission inherited from root folder for that user.

    I want to remove NTFS permission for that particular user from all the folders recursively.

    Please help me with power-shell script.

    Thanks you!


    Sunday, November 1, 2020 3:31 PM

All replies

  • We cannot teach you how to do this.  You will need to learn how the file system and permissions work.

    The simple answer is to just remove the permission from the root.  That is wat "inherited" means.

    I recommend doing this from File Explorer since this will prevent you from making a mistake.


    Sunday, November 1, 2020 3:42 PM
  • I am also a System Consultant, and about file system and permission I know well but I am not good at power-shell ,I have main root folder under D rive and inside root folder many sub-folders and underneath millions of Folders and File, Permission is being applied from root folder. 

    If you have something to suggest then please give suggestion

    see what I am trying

    $user = 'domain\userid'
    $folders = "D:\*"

    ##Remove Inheritance from Top Folders and Child Objects
    Foreach($folder in $folders) { 
     icacls $folder /inheritance:d
     Get-ChildItem -Path $folder -Recurse | ?{$_.PSisContainer} | foreach {$subfolder = $_.FullName; icacls $subfolder /inheritance:d}
    ##Remove User from Top Folders
    $acls = Get-Acl -path $folders 
    Foreach($acl in $acls) { 
     $folder = (convert-path $acl.pspath)
       Foreach($access in $acl.access) { 
       Foreach($value in $access.identityReference.Value) {
        if ($value -eq $user) { 
    } } }
     Set-Acl -path $folder -aclObject $acl 
    ##Remove User from Child Objects
    Foreach($folder in $folders) { 
    Get-ChildItem -Path $folder -Recurse | Foreach {$object = $_.FullName; 
     $acls = Get-Acl -Path $_.FullName; 
     foreach ($acl in $acls) {
      foreach ($access in $acl.Access) {
       foreach ($value in $access.IdentityReference.Value) {
        if ($value -eq $user) {
    } } } }
    Set-Acl -path $object -aclObject $acl
    } }
    ##Enable Inheritance for Child Objects
    Foreach($folder in $folders) { 
    Get-ChildItem -Path $folder -Recurse | ?{$_.PSisContainer} | foreach {$subfolder = $_.FullName; icacls $subfolder /inheritance:e}

    Sunday, November 1, 2020 6:38 PM
  • If you know the file system then you know that you just need to get the root and remove the permission.

    help Get-Acl -online

    To remove a permission just use the methods on the "Access" collection then:

    help Set-Acl -online

    It only takes 5 lines and has nothing to do with PowerShell.  It is all about understanding the file system and permissions first.  After you fully understand that technology then the PowerShell bits are easy.

    Your question tells me that you may not understand these things correctly.  Inherited permissions exist at only one node of the hierarchy and aare either propagated or not.  The root is the permission.  When a permission has the inheritance flag set then it is propagated from the above node.  Remove the root and the rest disappear.

    Again - review the documentation on how the file system actually works.  Once you understand that you will understand how to use the above specified help and where to look for the docs that show you how to use the methods on the ACL object.

    You can also download the permissions module froe the Gallery which will make this a one command process or you can just use ICACLS to do it in one command.

    ICACLS /?


    • Proposed as answer by BOfH-666 Sunday, November 1, 2020 9:37 PM
    Sunday, November 1, 2020 6:50 PM
  • I am also a System Consultant, and about file system and permission I know well but I am not good at power-shell 

    Why in the world are you disabling inheritance and then reenabling it later in the script? The ACL's on the folders will be a mess of inherited and uninherited permissions. 

    I will second jrv's initial recommendation; use the Windows explorer, right click the folder and remove the user from the security permissions. If they are inherited as you said, then you are done. You don't need a script.


    Sunday, November 1, 2020 8:16 PM
  • thanks for your suggestion
    Monday, November 2, 2020 12:27 PM