This is a script I have created which has helped with file migrations and updating permissions in particular on accounts which have been disabled but still exist on the file system of a shared folder.
Usage:
Copy the contents of this script into Powershell ISE or save the contents as a .ps1 file. Ensure that “set-executionpolicy unrestricted” is set before running as a ps1 file. Then execute the script by typing either C:\path\to\script.ps1 or from the same folder where the script is located run .\script.ps1.
Synopsis:
The script removes access to a given folder based on input from the user. This writes an output to an error log in the My Documents\NTFS folder. The script prompts for the folder which permission to remove and the object to remove. For example, the folder could be G:\Finance and the account DOMAIN\PSmith. Please note that the proceeding domain is required.
#Set Error action to stop for all errors
#########################################
$ErrorActionPreference="stop"
#Obtain the current user My Document Folder
#########################################
$DocumentPath = [Environment]::GetFolderPath("MyDocuments")
#If this path exists then ignore, else make the NTFS folder in My documents
#########################################
if (test-path $DocumentPath\NTFS -PathType Container) { write-host -ForegroundColor Red "Folder $documentpath\NTFS already exists. Not creating." }
if ( -not (test-path $DocumentPath\NTFS -PathType Container)) { mkdir $Documentpath\NTFS }
#Setup the Log file
#########################################
$Logfile = "$Documentpath\NTFS\error.txt"
#Test if the file is there. If it is then delete it
#########################################
if
(test-path $logfile) {Del $logfile -ErrorAction SilentlyContinue}
else{
write-host -foregroundcolor Red $logfile Does not exist. Cannot Delete.}
#Display information to the user
#########################################
write-host -ForegroundColor Yellow "Any errors will be saved the NTFS folder located within your My Documents folder"
#Prompt the user to enter the full path of the folder and the user
#########################################
$Folderselection = (read-host -prompt "Enter the folder to remove permission on (do not use quotation marks). For example, B:\It\Projects")
$UserAccount = (read-host -prompt "Enter the exact name of the account which you want to remove from all folders.")
#Attempt to read the contents of the directory and child objects. If there is a problem with accessing a folder, log it here
#########################################
try{
$Folders = dir $FolderSelection -recurse | where {$_.psiscontainer -eq $true}
}
Catch {
"Error Accessing $FolderSelection" | add-content $logfile
}
$error.clear()
#Step through each folder and obtain the security descriptor.
#########################################
foreach ($Folder in $Folders){
try{
$ACLs = get-acl $Folder.fullname
}
#Next check for errors
########################################
Catch{
"Error on folder $folder Access is denied" | Add-Content $logfile
}
#Now step through each ACL, Create an ACL object which matches the permission of the account, then remove this ACL.
#The ACL:- in order to remove permissions by using set-acl, set-acl needs to have an object first
#with the same ACL information that matches the folder. In this case we are removing an
#ACL of Allow so we create the Object with the Allow settings and use set-acl to set the
#folder to remove the acl to whatever is in the ACL object.
########################################
Foreach ($ACL in $ACLs.Access | where { $_. IsInherited -ne "True" -and $_.identityreference -eq $UserAccount}){
$Newace = new-object System.Security.AccessControl.FileSystemAccessRule ($ACL.Identityreference, $ACL.FileSystemRights, $ACL.InheritanceFlags, $ACL.PropagationFlags, [System.Security.AccessControl.AccessControlType]::Allow)
$acls.RemoveAccessRuleAll($acl)
write-host -ForegroundColor Yellow "removing permission for user $UserAccount on folder $folder.fullname"
set-acl $Folder.fullname $acls
}
}
Usage:
Copy the contents of this script into Powershell ISE or save the contents as a .ps1 file. Ensure that “set-executionpolicy unrestricted” is set before running as a ps1 file. Then execute the script by typing either C:\path\to\script.ps1 or from the same folder where the script is located run .\script.ps1.
Synopsis:
The script removes access to a given folder based on input from the user. This writes an output to an error log in the My Documents\NTFS folder. The script prompts for the folder which permission to remove and the object to remove. For example, the folder could be G:\Finance and the account DOMAIN\PSmith. Please note that the proceeding domain is required.
#Set Error action to stop for all errors
#########################################
$ErrorActionPreference="stop"
#Obtain the current user My Document Folder
#########################################
$DocumentPath = [Environment]::GetFolderPath("MyDocuments")
#If this path exists then ignore, else make the NTFS folder in My documents
#########################################
if (test-path $DocumentPath\NTFS -PathType Container) { write-host -ForegroundColor Red "Folder $documentpath\NTFS already exists. Not creating." }
if ( -not (test-path $DocumentPath\NTFS -PathType Container)) { mkdir $Documentpath\NTFS }
#Setup the Log file
#########################################
$Logfile = "$Documentpath\NTFS\error.txt"
#Test if the file is there. If it is then delete it
#########################################
if
(test-path $logfile) {Del $logfile -ErrorAction SilentlyContinue}
else{
write-host -foregroundcolor Red $logfile Does not exist. Cannot Delete.}
#Display information to the user
#########################################
write-host -ForegroundColor Yellow "Any errors will be saved the NTFS folder located within your My Documents folder"
#Prompt the user to enter the full path of the folder and the user
#########################################
$Folderselection = (read-host -prompt "Enter the folder to remove permission on (do not use quotation marks). For example, B:\It\Projects")
$UserAccount = (read-host -prompt "Enter the exact name of the account which you want to remove from all folders.")
#Attempt to read the contents of the directory and child objects. If there is a problem with accessing a folder, log it here
#########################################
try{
$Folders = dir $FolderSelection -recurse | where {$_.psiscontainer -eq $true}
}
Catch {
"Error Accessing $FolderSelection" | add-content $logfile
}
$error.clear()
#Step through each folder and obtain the security descriptor.
#########################################
foreach ($Folder in $Folders){
try{
$ACLs = get-acl $Folder.fullname
}
#Next check for errors
########################################
Catch{
"Error on folder $folder Access is denied" | Add-Content $logfile
}
#Now step through each ACL, Create an ACL object which matches the permission of the account, then remove this ACL.
#The ACL:- in order to remove permissions by using set-acl, set-acl needs to have an object first
#with the same ACL information that matches the folder. In this case we are removing an
#ACL of Allow so we create the Object with the Allow settings and use set-acl to set the
#folder to remove the acl to whatever is in the ACL object.
########################################
Foreach ($ACL in $ACLs.Access | where { $_. IsInherited -ne "True" -and $_.identityreference -eq $UserAccount}){
$Newace = new-object System.Security.AccessControl.FileSystemAccessRule ($ACL.Identityreference, $ACL.FileSystemRights, $ACL.InheritanceFlags, $ACL.PropagationFlags, [System.Security.AccessControl.AccessControlType]::Allow)
$acls.RemoveAccessRuleAll($acl)
write-host -ForegroundColor Yellow "removing permission for user $UserAccount on folder $folder.fullname"
set-acl $Folder.fullname $acls
}
}