none
icacls command to remove multiple users permissions from a folder at one icacls command in win 2008 R2

    Question

  • hi friends

    in win2008 R2, i want to know is it possible to remove multiple users permissions from security tab of a folder at once ?  ( at one icacls command ? )

    for example in my C: drive, i have a folder called "MyFolder" to which the user1 and person2 and teacher3 have Modify permission.

    i want to remove their permissions from MyFolder at once.  i tried this command but it doesn't work :

    icacls c:\MyFolder /remove:g user1,person2,teacher3      doesn't work.

    any solution please

    thanks in advance




    • Edited by john.s2011 Wednesday, February 22, 2012 8:47 PM
    Wednesday, February 22, 2012 8:44 PM

Answers

  • Run the command prompt as Administrator, then try it with the domain name:

    icacls c:\MyFolder /remove:g  domain\user1, domain\person2, domain\teacher3 (with commas)

    or

    icacls c:\MyFolder /remove:g  domain\user1 domain\person2 domain\teacher3  (without commas)

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 23, 2012 1:21 AM

All replies

  • Run the command prompt as Administrator, then try it with the domain name:

    icacls c:\MyFolder /remove:g  domain\user1, domain\person2, domain\teacher3 (with commas)

    or

    icacls c:\MyFolder /remove:g  domain\user1 domain\person2 domain\teacher3  (without commas)

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 23, 2012 1:21 AM
  • Run the command prompt as Administrator, then try it with the domain name:

    icacls c:\MyFolder /remove:g  domain\user1, domain\person2, domain\teacher3 (with commas)

    or

    icacls c:\MyFolder /remove:g  domain\user1 domain\person2 domain\teacher3  (without commas)

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn

    hi Dear Ace, thank you very much for the solution. i really didn't find this solution anywhere

    you are really great in network   ;-)

    best regards


    • Edited by john.s2011 Thursday, February 23, 2012 4:54 PM
    Thursday, February 23, 2012 4:20 AM
  • You are welcome, John! :-)

    Cheers!


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 23, 2012 4:36 AM
  • Hi All,

    I have the same problem with a twist. We have a fileserver and recently moved the server from one domain to another. We have added all the permissions for the new domain and all is good, but I want to get rid of the old users on the server, but the names no longer resolve in active directory because we are not connected (and cannot connect to) the old domain. The old perms show as a series of GUIDs on the filesystem. 
    I tried removing them using the below both with and without commas

    icacls dirname  /remove  S-1-5-21-124525095-708259637-1543119021-1366458 S-1-5-21-124525095-708259637-1543119021-1366039 S-1-5-21-124525095-708259637-1543119021-1458776 S-1-5-21-124525095-708259637-1543119021-20045 S-1-5-21-124525095-708259637-1543119021-461932 /t /c

    The result is always the same:

    Successfully processed 0 files; Failed processing 0 files

    Is there anyway to remove these GUIDs?

    thanks,

    Kent

    Friday, March 18, 2016 6:48 PM
  • Hi All,

    I have the same problem with a twist. We have a fileserver and recently moved the server from one domain to another. We have added all the permissions for the new domain and all is good, but I want to get rid of the old users on the server, but the names no longer resolve in active directory because we are not connected (and cannot connect to) the old domain. The old perms show as a series of GUIDs on the filesystem. 
    I tried removing them using the below both with and without commas

    icacls dirname  /remove  S-1-5-21-124525095-708259637-1543119021-1366458 S-1-5-21-124525095-708259637-1543119021-1366039 S-1-5-21-124525095-708259637-1543119021-1458776 S-1-5-21-124525095-708259637-1543119021-20045 S-1-5-21-124525095-708259637-1543119021-461932 /t /c

    The result is always the same:

    Successfully processed 0 files; Failed processing 0 files

    Is there anyway to remove these GUIDs?

    thanks,

    Kent

    I assume you started CMD as admin.

    Did you try /remove:g?

    ICACLS Reference
    https://technet.microsoft.com/en-us/library/cc753525.aspx

    .

    If that doesn't work, try SubInACL:
    subinacl /subdirectories C:\*.* /cleandeletedsidsfrom=DomainName

    Microsoft SubInACL Download
    https://www.microsoft.com/en-us/download/details.aspx?id=23510

    JSI Tip 8741. How can I remove invalid domain SIDs from the my file system permissions?

    .

    Or just use this script from the Script Gallery:
    Remove orphaned SIDs from File/Folder ACL (PowerShell)
    http://gallery.technet.microsoft.com/scriptcenter/Remove-orphaned-SIDs-from-2231b1f0

    .

    There's also one you can buy: Quest Storage Migrator, but with the tools above, I don't see the need unless you are migrating a large number of servers.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT]MVP Saturday, March 19, 2016 3:07 AM
    • Proposed as answer by kentda Monday, March 21, 2016 10:15 PM
    Saturday, March 19, 2016 3:06 AM
  • Thanks Ace!... I downloaded the powershell script and it works perfectly. Much better than finding all the abandoned GUIDs in the tree and listing them in a very long icacls command for deletion. 

    Monday, March 21, 2016 10:17 PM
  • Thanks Ace!... I downloaded the powershell script and it works perfectly. Much better than finding all the abandoned GUIDs in the tree and listing them in a very long icacls command for deletion. 

    That's great to hear that it worked! 

    You are welcome! 

    Cheers!


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 22, 2016 3:35 AM