locked
Remove ACL Entry from an OU RRS feed

  • Question

  • Hi

    Is there a way I can remove a user (in this case "NT Authority\Authenticated Users") from an OU using Powershell. Inheritance is blocked.

    Ive attempted to the below but it doesnt seem to work: Any suggestions?

        $acl = Get-Acl -Path "Path to OU"    
    foreach($acc in $acl.access ) 
    { 
        $value = $acc.IdentityReference.Value 
        if($value -match "NT Authority\Authenticated Users") 
        { 
            $ACL.RemoveAccessRule($acc) | Out-Null 
            Set-Acl -Path "Path to OU" -AclObject $acl -ErrorAction Stop 
            Write-Host "Remove ACL Entry: $value  form" 
        } 
    }"

    Thursday, April 18, 2013 4:33 PM

Answers

  • I just tested the following sample and it works:

    import-module active*
    set-location ad:
    
    $acl = Get-Acl -Path "ou=testou,dc=woodgrovebank,dc=com"   
    foreach($acc in $acl.access ) 
    { 
        $value = $acc.IdentityReference.Value 
        if($value -eq "NT Authority\Authenticated Users") 
        { 
            $ACL.RemoveAccessRule($acc)
            Set-Acl -Path "ou=testou,dc=woodgrovebank,dc=com" -AclObject $acl -ErrorAction Stop 
            Write-Host "Remove ACL Entry: $value  form" 
        } 
    }

    It also works with if($value -match"NT Authority\\Authenticated Users")  as suggested by Kazun.
    Friday, April 19, 2013 2:07 PM

All replies

  • That just removes a user form a group. I need to script the removal of Authenticated Users (Not Inherited) from an OU in AD.
    Friday, April 19, 2013 8:22 AM
  • Escape \\ : if($value -match "NT Authority\\Authenticated Users")

    Friday, April 19, 2013 8:40 AM
  • That still does not work. Is anyone aware that this is even possible with powershell? Im struggling with the set-acl command on OUs.
    Friday, April 19, 2013 12:35 PM
  • I just tested the following sample and it works:

    import-module active*
    set-location ad:
    
    $acl = Get-Acl -Path "ou=testou,dc=woodgrovebank,dc=com"   
    foreach($acc in $acl.access ) 
    { 
        $value = $acc.IdentityReference.Value 
        if($value -eq "NT Authority\Authenticated Users") 
        { 
            $ACL.RemoveAccessRule($acc)
            Set-Acl -Path "ou=testou,dc=woodgrovebank,dc=com" -AclObject $acl -ErrorAction Stop 
            Write-Host "Remove ACL Entry: $value  form" 
        } 
    }

    It also works with if($value -match"NT Authority\\Authenticated Users")  as suggested by Kazun.
    Friday, April 19, 2013 2:07 PM
  • Yep works a treat. Many thanks
    Friday, April 19, 2013 2:30 PM
  • Hi 

    This might work but isnt it setting the whole list of ACL  again instead of removing just one entry from ACL?


    Guru

    Wednesday, August 5, 2020 9:30 AM