All geek questions in one place

Removing all ACLs in a folder with powershell

I am new to powershell scripts (almost 1 month since I started learning powershell.)

I am currently working on a script with powershell 2.0 to clear the NTFS ACL folder. I want to delete every acl except administrative.

My problem is that I cannot find a way to delete every acl that is not an administrator without knowing them.

So, I came here to look for professionals in the field of powerhell.

+6
source share
4 answers

This code removes acl:

$acl = Get-Acl \\remote_server\share_folder\HAL.9000 $acl.Access | %{$acl.RemoveAccessRule($_)}

This code adds an acl admin:

 #BUILTIN administrator $acl = Get-Acl \\remote_server\share_folder\HAL.9000 $permission = "BUILTIN\Administrators","FullControl", "ContainerInherit,ObjectInherit","None","Allow" $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) Set-Acl \\remote_server\share_folder\HAL.9000 $acl #Domain controller administrator $acl = Get-Acl \\remote_server\share_folder\HAL.9000 $permission = "DOMAINCONTROLLER\Administrators","FullControl", "ContainerInherit,ObjectInherit","None","Allow" $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) Set-Acl \\remote_server\share_folder\HAL.9000 $acl

Hope this helps someone :)

+8
source

For convenience, I copied / pasted all this together into a function. If it can be useful to anyone, here it is:

 Function Remove-ACL { [CmdletBinding(SupportsShouldProcess=$True)] Param( [parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)] [ValidateNotNullOrEmpty()] [ValidateScript({Test-Path $_ -PathType Container})] [String[]]$Folder, [Switch]$Recurse ) Process { foreach ($f in $Folder) { if ($Recurse) {$Folders = $(Get-ChildItem $f -Recurse -Directory).FullName} else {$Folders = $f} if ($Folders -ne $null) { $Folders | ForEach-Object { # Remove inheritance $acl = Get-Acl $_ $acl.SetAccessRuleProtection($true,$true) Set-Acl $_ $acl # Remove ACL $acl = Get-Acl $_ $acl.Access | %{$acl.RemoveAccessRule($_)} | Out-Null # Add local admin $permission = "BUILTIN\Administrators","FullControl", "ContainerInherit,ObjectInherit","None","Allow" $rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($rule) Set-Acl $_ $acl Write-Verbose "Remove-HCacl: Inheritance disabled and permissions removed from $_" } } else { Write-Verbose "Remove-HCacl: No subfolders found for $f" } } } }

Application:

 # For only one folder: Remove-ACL 'C:\Folder' -Verbose # For all subfolders: Remove-ACL 'C:\Folder' -Recurse -Verbose # Pipe stuff 'C:\Folder 1', 'C:\Folder 2' | Remove-ACL -Verbose
+3
source

This code removes acl: $ acl = Get-Acl \ remote_server \ share_folder \ HAL.9000 $ acl.Access | % {$ Acl.RemoveAccessRule ($ _)}

it doesn't work until you run

 Set-Acl \\remote_server\share_folder\HAL.9000 $acl
+2
source

Why not create a new list. For instance:

 $identity = New-Object System.Security.Principal.NTAccount('NT AUTHORITY\SYSTEM') $acl = New-Object System.Security.AccessControl.DirectorySecurity $acl.SetOwner($identity) $acl.SetGroup($identity) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule('NT AUTHORITY\SYSTEM', 'FullControl', 'ContainerInherit, ObjectInherit', 'None','Allow') $acl.AddAccessRule($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule('BUILTIN\Administrators', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow') $acl.AddAccessRule($rule) Set-Acl -LiteralPath "C:\MyFolder" -AclObject $acl Get-Acl -LiteralPath "C:\MyFolder" | Format-List
0
source

Source: https://habr.com/ru/post/891971/

More articles:


All Articles