0

On a number of the servers where I work the share folder permissions have become cluttered with direct permissions for some of our techs due to them needing to take ownership. I have figured out how to fix the ownership issue so it won't happen anymore but I am stuck on the cleanup of these permissions. unfortunately when I run this command nothing happens not even an error. I am guessing its a logic error of some kind on my part but I cant spot it. Any help would be appreciated.

# $vData is the root path
Get-Item $vData | foreach { $_ ; $_ | Get-ChildItem -directory -Force -Recurse }| foreach {   $currentDir = $_;  $acl = ($_ | Get-Acl).Access;    $IDs = $acl | select identityreference ;   foreach ($ID in $IDs)      {   if (($ID.ToString()).endswith('-admin')) {      $acesToRemove = $acl | where{ $_.IsInherited -eq $false -and $_.IdentityReference -eq $ID };       $acl.RemoveAccessRuleAll($acesToRemove);        Set-Acl -AclObject $acl $currentDir.ToString();   }    }    }

since its a 1 liner I have split it below for ease of reading.

Get-Item $vData |`
foreach {`
 $_ ; $_ | Get-ChildItem -directory -Force -Recurse `
}`
| foreach {`
   $currentDir = $_;`
   $acl = ($_ | Get-Acl).Access; `
   $IDs = $acl | select identityreference ;`
   foreach ($ID in $IDs)      {   `
     if (($ID.ToString()).endswith('-admin')) {`
        $acesToRemove = $acl | where{ $_.IsInherited -eq $false -and $_.IdentityReference -eq $ID };`
        $acl.RemoveAccessRuleAll($acesToRemove); `
        Set-Acl -AclObject $acl $currentDir.ToString(); `
           }`
     }`
    }

the code to remove the permissions is based off of code I found here Remove a user from ACL completely using PowerShell

Robyn H
  • 1
  • 1

2 Answers2

0

I believe RemoveAccessRuleAll (and RemoveAccessRule) work on the ACL, not on the Access property. Try something like this instead:

Get-ChidItem -Path $root -Directory -Force -Recurse |
  ForEach-Object -Process {
    $path = $_.FullName
    Write-Output "Working on '$path'"
    $acl = Get-Acl -Path $path
    if ($aclsToRemove = $acl.Access | Where-Object -FilterScript { $_.IdentityReference -like '*-admin' }) {
      Write-Output "  Found $($aclsToRemove.Count) ACLs to remove:"
      foreach ($aclToRemove in $aclsToRemove) {
        Write-Output "    Removing $($aclToRemove.IdentityReference) - $($aclToRemove.FileSystemRights) - $($aclToRemove.AccessControlType) from ACL list"
        $acl.RemoveAccessRule($aclToRemove)
      }
      Write-Output "  Setting new ACL on filesystem"
      Set-Acl -Path $_.FullName -AclObject $acl
    }
  }
DarkMoon
  • 1,039
  • 15
  • 30
  • I actually ended up posting the same question on reddit since I thought my question ended up burred on here. I used this solution https://www.reddit.com/r/PowerShell/comments/p19br8/bulk_removing_direct_access_to_a_folder_via/h8c4wcv?utm_source=share&utm_medium=web2x&context=3 was just coming back to update with it. Thank you all the same! – Robyn H Aug 10 '21 at 20:01
0

Found the answer below from reddit and it seems to accomplish what I needed.

from https://www.reddit.com/r/PowerShell/comments/p19br8/bulk_removing_direct_access_to_a_folder_via/ PS_Alex

I think your issue here is $acl = ($_ | Get-Acl).Access. Your $acl object only contains the ACE. The Set-Acl cmdlet expects the full ACL object as an input to the -AclObject argument.

You could try that instead:

#Assuming $vdata is your root path

foreach ($folder in Get-ChildItem -Path $vdata -Directory -Recurse -Force) {

#Get the current ACL of the folder
$acl = Get-Acl -Path $folder.FullName

#Uncomment to explore the $acl object
#$acl | fl

#Filter the ACEs to identify the ones to remove, and remove them
foreach ($aceToRemove in $acl.Access.Where({$psitem.IdentityReference -match "-admin$" -and $psitem.IsInherited -eq $false})) {
    $acl.RemoveAccessRule($aceToRemove)
}

#Uncomment to explore the $acl object
#$acl | fl

#Apply the ACL
Set-Acl -AclObject $acl -Path $folder.FullName

}

Robyn H
  • 1
  • 1