2

We have several servers in the same domain and the requirement is to remove permission from a specific folder which is defined in the power-shell script and I need to specify the name of the object that Im going to delete and list of the servers (Given a path in the text file is also okay).Is this possible to achieve this task via power shell ?

Eg : Defined Path (C:\Powershell) , Object name on security tab(myname@domain.com),List of servers (SERVER01,Server02)

Also this was the script that I tried 
$path = "C:\Powershell"
$users = @{}



$users = Get-NTFSAccess $path | Where-Object {$_.Account -ne "DOMAIN\Exclude"} | Select-Object Account



foreach ($user in $users) {
    $removalAccount = $user.Account
    Write-Host "Removing account - $($removalAccount)"
    Remove-NTFSAccess -Path $path -Account $removalAccount -AccessRights FullControl -AccessType Allow
    Remove-NTFSAccess -Path $path -Account $removalAccount -AccessRights FullControl -AccessType Deny    
}

Thanks !

Heisenberg
  • 59
  • 7

1 Answers1

1

You're probably going to want to look at Get-Acl and Set-Acl. There are a couple of variables that could determine your method:

  • Are the permissions on the specific object always explicit and not inherited? (affects code)
  • Are you an administrator of each of the servers?
  • If yes, how is each server accessible on the network? (affects deployment method)

Example below- run from a machine logged on as user with admin access to all required servers. For each server, get the ACL list for your object via UNC (\servername\c$\path), remove the desired ACL rule and then apply the modified ACL list to the object.

Admittedly accessing via UNC isn't perfect and might raise some eyebrows security-wise, but at least the code below should give you an indication of the kind of thing to investigate. I'd look at deploying a script using group policy or a management tool like SCCM rather than do it in one hit remotely over UNC - depends how many servers you need to modify I guess :)

$servers = "SERVER1","SERVER2","SERVER3"
$base_path = "\c$\Powershell"
$acl_name = "DOMAIN\User.Name"

foreach ($server in $servers){
    $full_path = ("\\" + $server + $base_path)
    $acl_list = Get-Acl $full_path
    $acls_to_remove = $acl_list.access | where-object {($_.IdentityReference -eq $acl_name) -and ($_.IsInherited -eq $false)}

    foreach ($acl in $acls_to_remove){
        $acl_list.RemoveAccessRule($acl)
        Set-Acl -Path $full_path -AclObject $acl_list
    }

}

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-6

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-6

Adam Collyer
  • 31
  • 4