{"id":52443,"date":"2009-09-17T03:01:00","date_gmt":"2009-09-17T03:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/09\/17\/hey-scripting-guy-can-i-remove-specific-folder-access-rights-on-a-per-user-basis\/"},"modified":"2009-09-17T03:01:00","modified_gmt":"2009-09-17T03:01:00","slug":"hey-scripting-guy-can-i-remove-specific-folder-access-rights-on-a-per-user-basis","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-can-i-remove-specific-folder-access-rights-on-a-per-user-basis\/","title":{"rendered":"Hey, Scripting Guy! Can I Remove Specific Folder Access Rights on a Per-User Basis?"},"content":{"rendered":"

\n\n\n\n
Share this post: <\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD>\n<\/A><\/TD><\/TR><\/TBODY><\/TABLE><\/SPAN>\n

\"Hey,<\/SPAN>Hey, Scripting Guy! There is this guy at work\u2026well, actually he used to be at work and that is the problem. He left the company. The way security has been implemented at our company, I have to check specific folders, and if a user has been granted explicit access rights to the folders, the entry needs to be removed. I know I could do this manually, but there are several folders and I would rather not waste the time doing this task if it could be scripted. Do you have a script that will do this for me? <\/P>\n

— SC <\/P>\n

\"Hey, Hello SC, <\/P>\n

Microsoft Scripting Guy Ed Wilson here. It has seemed like fall weather here in Charlotte, North Carolina, in the United States this week. Gentle breezes have been nudging leaves from reluctant trees in my front yard, and the sky has been a dark blue dotted with white fluffy clouds. This is the first time in more than five years that I have been home to enjoy this time of the year. I am sifting through the e-mail that has been sent to scripter@microsoft.com<\/A>, sipping on a cup of Earl Grey tea<\/FONT><\/A>, and munching on a hunk of artisan cheese<\/FONT><\/A> while listening to Vanessa-Mae<\/A> on my Zune<\/A><\/FONT>.  <\/SPAN>Needless to say, I am in one of the best moods I have been in a very long time. The reason that this is significant is because most of the time when I am confronted with a security type of question I say use either Subinacl<\/A><\/FONT> or use Icacls<\/A><\/FONT>. Because I am in a good mood, I am susceptible to suggestion. The script I came up with is similar to the script I wrote on Tuesday<\/A>.
<\/P>\n

The complete RemoveUserSecurityFromFolder.ps1 script is seen here. <\/P>\n

RemoveUserSecurityFromFolder.ps1 <\/B><\/P>\n

$user = ‘nwtraders\\bob’
$folders = “c:\\fso”,”c:\\fso1″, “c:\\fso2”
$acls = Get-Acl -path $folders
$outputObject = @()

Foreach($acl in $acls)
{
 <\/SPAN>$folder = (convert-path $acl.pspath)
 <\/SPAN>Write-Progress -act “Getting Security” -status “checking $folder” -percent ($i\/ $folders.count*100)
 <\/SPAN>
  <\/SPAN>Foreach($access in $acl.access)
  <\/SPAN>{
    <\/SPAN>Foreach($value in $access.identityReference.Value)
     <\/SPAN>{
       <\/SPAN>if ($value -eq $user)
          <\/SPAN>{
           <\/SPAN>$acl.RemoveAccessRule($access) | Out-Null
          <\/SPAN>}
     <\/SPAN>} #end foreach value
  <\/SPAN>} # end foreach access
 <\/SPAN>Set-Acl -path $folder -aclObject $acl
$i++
} #end Foreach acl <\/FONT><\/FONT><\/SPAN><\/P>\n

The first thing that must be done in the RemoveUserSecurityFromFolder.ps1 script is to create a variable to hold the user name and the folders to be searched. The user name is expressed in the form of DomainName\\UserName<\/B>. Each folder path is a string that includes the full path to the folder. Multiple folders can be supplied as long as they are separated by commas. This is seen here: <\/P>\n

$user = ‘nwtraders\\bob’ <\/FONT><\/SPAN><\/P>\n

$folders = “c:\\fso”,”c:\\fso1″, “c:\\fso2”
<\/FONT><\/SPAN><\/P>\n

As seen in the following image, the user nwtraders\\bob <\/B>has been granted specific rights to the C:\\fso2<\/B> folder. He has also been granted specific rights to other folders. The RemoveUserSecurityFromFolder.ps1 script will be used to remove his access to the folders specified in the $folders <\/B>array. <\/P>\n

<\/P>\n

\"Image<\/P>\n

After you have the user name and the folders to be searched, you use the Get-Acl<\/B> Windows PowerShell cmdlet to return a collection of System.Security.AccessControl.DirectorySecurity<\/A> objects. The DirectorySecurity<\/B> objects are stored in the $acls<\/B> variable. This is shown here:
<\/P>\n

$acls = Get-Acl -path $folders <\/FONT><\/SPAN><\/P>\n

Because you need to inspect individual access control entries, you will need to use the Foreach<\/B> statement to walk through the collection of DirectorySecurity<\/B> objects that are stored in the $acls<\/B> variable. Each DirectorySecurity<\/B> object will be stored in the $acl<\/B> variable as you iterate through the collection. The Foreach<\/B> statement is seen here: <\/P>\n

Foreach($acl in $acls) <\/FONT><\/SPAN><\/P>\n

{ <\/FONT><\/SPAN><\/P>\n

The path to the current folder is retrieved from the pspath<\/B> property of the System.Security.AccessControl.DirectorySecurity<\/B> .NET Framework class. The folder path is used in the status of the Write-Progress<\/B> cmdlet, which displays a progress bar that informs the user of the status of removing the user from the folders. For more information about the use of Convert-Path<\/B> or the Write-Progress<\/B> cmdlet, see Tuesday\u2019s Hey, Scripting Guy! post<\/A>. The code is shown here: <\/P>\n

$folder = (convert-path $acl.pspath) <\/FONT><\/SPAN><\/P>\n

 <\/SPAN>Write-Progress -act “Getting Security” -status “checking $folder” -percent ($i\/ $folders.count*100) <\/FONT><\/SPAN><\/P>\n

It is time to walk through the individual access control entries. Because the user name that has been granted rights to a folder is stored in the value of the identityReference<\/B> property of the System.Security.Principal.NTAccount<\/A> .NET Framework class, it is necessary to somehow gain access to the NTAccount<\/B> class.  <\/SPAN>To do this, each of the System.Security.AccessControl.FileSystemAccessRule<\/A> .NET Framework classes that are returned by querying the access property of the DirectorySecurity<\/B> object are queried. The Foreach<\/B> statement is used to walk through the collection of FileSystemAccessRules<\/B> as seen here: <\/P>\n

  <\/SPAN>Foreach($access in $acl.access) <\/FONT><\/SPAN><\/P>\n

  <\/SPAN>{ <\/FONT><\/SPAN><\/P>\n

After a specific FileSystemAccessRule<\/B> has been obtained and stored in the $access<\/B> variable, the NTAccount<\/B> class is obtained by referencing the identityReference<\/B> property.  <\/SPAN>The value contained in value<\/B> property is stored in the $value<\/B> variable as seen here: <\/P>\n

    <\/SPAN>Foreach($value in $access.identityReference.Value) <\/FONT><\/SPAN><\/P>\n

     <\/SPAN>{ <\/FONT><\/SPAN><\/P>\n

       <\/SPAN>if ($value -eq $user) <\/FONT><\/SPAN><\/P>\n

If the user matches the value of the identityReference<\/B> property, the FileSystemAccessRule<\/B> is removed from the System.Security.AccessControl.DirectorySecurity<\/B> object. The information that is returned from the RemoveAccessRule<\/B> method call is piped to the Out-Null<\/B> cmdlet. This is shown here: <\/P>\n

          <\/SPAN>{ <\/FONT><\/SPAN><\/P>\n

           <\/SPAN>$acl.RemoveAccessRule($access) | Out-Null <\/FONT><\/SPAN><\/P>\n

          <\/SPAN>} <\/FONT><\/SPAN><\/P>\n

     <\/SPAN>} #end foreach value <\/FONT><\/SPAN><\/P>\n

  <\/SPAN>} # end foreach access <\/FONT><\/SPAN><\/P>\n

It is time to commit the changes to the DirectorySecurity<\/B> object. If you do not use the Set-Acl<\/B> cmdlet to write the changes to the DirectorySecurity<\/B> object, the script will appear to work properly, but the user will not be removed from access to the folders. To commit the changes, you specify the folder and the aclObject<\/B>. For this script, the path to the folder is contained in the $folder<\/B> variable and the aclObject<\/B> is the DirectorySecurity<\/B> object that is stored in the $acl<\/B> variable. This line of code is seen here: <\/P>\n

 <\/SPAN>Set-Acl -path $folder -aclObject $acl <\/FONT><\/SPAN><\/P>\n

$i++ <\/FONT><\/SPAN><\/P>\n

} #end Foreach acl
<\/FONT><\/SPAN><\/P>\n

After the RemoveUserSecurityFromFolder.ps1 script has run, a quick inspection of the C:\\fso2 folder reveals that nwtraders\\bob<\/B> has been removed. This is seen here: <\/P>\n

\"Image<\/P>\n

 <\/P>\n

Well, SC, that is all there is to removing a user\u2019s access rights to a folder. I am glad you asked the question because the process was not nearly as difficult as I had believed. This brings us to the end of our Security Week posts. Join us tomorrow as we dig into the virtual mail bag for questions that do not need quite as long of an answer. That is right: Tomorrow is Quick-Hits Friday! <\/P>\n

If you want to know exactly what we will be looking at tomorrow, follow us on Twitter<\/A> or Facebook<\/FONT><\/A>. If you have any questions, send e-mail to us at scripter@microsoft.com<\/A> or post them on the Official Scripting Guys Forum<\/A>. See you tomorrow. Until then, keep on scripting. <\/P>\n

Ed Wilson and Craig Liebendorfer, Scripting Guys <\/SPAN><\/B><\/P>\n

fazpeux4s3<\/SPAN> <\/P><\/B>\n

 <\/P><\/p>\n","protected":false},"excerpt":{"rendered":"

Share this post: Hey, Scripting Guy! There is this guy at work\u2026well, actually he used to be at work and that is the problem. He left the company. The way security has been implemented at our company, I have to check specific folders, and if a user has been granted explicit access rights to the […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[62,3,63,45],"class_list":["post-52443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-dacls-and-sacls","tag-scripting-guy","tag-security","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Share this post: Hey, Scripting Guy! There is this guy at work\u2026well, actually he used to be at work and that is the problem. He left the company. The way security has been implemented at our company, I have to check specific folders, and if a user has been granted explicit access rights to the […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=52443"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52443\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=52443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=52443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=52443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}