• Home
  • About
  • Services
  • Blog
Worton Tech Ltd
Social Links

Removing ACLs from Folder using Powershell

23/5/2019

0 Comments

 
This is a script I have created which has helped with file migrations and updating permissions in particular on accounts which have been disabled but still exist on the file system of a shared folder. 

Usage:
Copy the contents of this script into Powershell ISE or save the contents as a .ps1 file. Ensure that “set-executionpolicy unrestricted” is set before running as a ps1 file. Then execute the script by typing either C:\path\to\script.ps1 or from the same folder where the script is located run .\script.ps1.
Synopsis:
The script removes access to a given folder based on input from the user. This writes an output to an error log in the My Documents\NTFS folder.  The script prompts for the folder which permission to remove and the object to remove. For example, the folder could be G:\Finance and the account DOMAIN\PSmith. Please note that the proceeding domain is required. 

#Set Error action to stop for all errors
#########################################
$ErrorActionPreference="stop"
#Obtain the current user My Document Folder
#########################################
$DocumentPath = [Environment]::GetFolderPath("MyDocuments")
#If this path exists then ignore, else make the NTFS folder in My documents
#########################################
if (test-path $DocumentPath\NTFS -PathType Container) { write-host -ForegroundColor Red "Folder $documentpath\NTFS already exists. Not creating." }
if ( -not (test-path $DocumentPath\NTFS -PathType Container)) { mkdir $Documentpath\NTFS }
#Setup the Log file
#########################################
$Logfile = "$Documentpath\NTFS\error.txt"
#Test if the file is there. If it is then delete it
#########################################
if
(test-path $logfile) {Del $logfile -ErrorAction SilentlyContinue}
else{
write-host -foregroundcolor Red $logfile Does not exist. Cannot Delete.}
#Display information to the user
#########################################
write-host -ForegroundColor Yellow "Any errors will be saved the NTFS folder located within your My Documents folder"
 
#Prompt the user to enter the full path of the folder and the user
#########################################
$Folderselection = (read-host -prompt "Enter the folder to remove permission on (do not use quotation marks). For example, B:\It\Projects")
$UserAccount = (read-host -prompt "Enter the exact name of the account which you want to remove from all folders.")
#Attempt to read the contents of the directory and child objects. If there is a problem with accessing a folder, log it here
#########################################
try{
$Folders = dir $FolderSelection -recurse | where {$_.psiscontainer -eq $true}
}
Catch {
"Error Accessing $FolderSelection" | add-content $logfile
}
$error.clear()
#Step through each folder and obtain the security descriptor.
#########################################
foreach ($Folder in $Folders){
 
try{
              $ACLs = get-acl $Folder.fullname
}
#Next check for errors
########################################
Catch{
"Error on folder $folder Access is denied" | Add-Content $logfile
}
#Now step through each ACL, Create an ACL object which matches the permission of the account, then remove this ACL.
#The ACL:- in order to remove permissions by using set-acl, set-acl needs to have an object first
#with the same ACL information that matches the folder. In this case we are removing an
#ACL of Allow so we create the Object with the Allow settings and use set-acl to set the
#folder to remove the acl to whatever is in the ACL object. 
########################################  
         Foreach ($ACL in $ACLs.Access | where { $_. IsInherited -ne "True" -and $_.identityreference -eq $UserAccount}){
             $Newace = new-object System.Security.AccessControl.FileSystemAccessRule ($ACL.Identityreference, $ACL.FileSystemRights, $ACL.InheritanceFlags, $ACL.PropagationFlags, [System.Security.AccessControl.AccessControlType]::Allow)
             $acls.RemoveAccessRuleAll($acl)
             write-host -ForegroundColor Yellow "removing permission for user $UserAccount on folder $folder.fullname"
             set-acl $Folder.fullname $acls
}
                           }
  

0 Comments



Leave a Reply.

    Author

    Kevin Worton. Technology Consultant.

    View my profile on LinkedIn

    Archives

    May 2019
    August 2018
    June 2018
    May 2018
    March 2018
    May 2017
    December 2016
    November 2016
    September 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    December 2015
    November 2015
    September 2015
    May 2015

    Categories

    All

    RSS Feed

Home

About

Services

Copyright Worton Tech © 2019