/build/static/layout/Breadcrumb_cap_w.png

clear NTFS permissions for specific users on set of folders

Here's a simple powershell script to remove NTFS permissions on a set of folders from a given root. Uses a list of users from a specific OU, but can quickly be edited for a single username. Any question about actual changes run without the set verbs. Always know what your running and use carefully! Simple logged output incase needed. See the highlighted portions for changing.


#######################################################################
################### Variables #########################################
#######################################################################
$RootPath = "\\WHAT.FOLDER.TO\CLEANUP
$OU = "OU=YOUROU,DC=DOMAIN,DC=DOMAIN" ## who to revoke 
#######################################################################
### Note: Its assumed Group Membership secure access will be removed ## 
### by separate term process ##########################################
#######################################################################


$date = Get-Date -format o
$date = $date -replace('/','--')
$date = $date -replace(':','-')
import-module activedirectory
$filename = -join("$date","___RevokeFolderPermsLog.csv")
$termlog = "\\YOUR.FILE.SHARE\Terms\FolderPermissionRevocation\$filename" 
$blk = ".",".",".","."
[System.Collections.ArrayList]$emaillog = $blk
$br="<br>"
$emaillog.add("$br")
$emaillog.add("$br")
$found = $false

Write-Progress -activity "Getting users in: $OU"
Write-Host "Getting users in: $OU"
$users = Get-ADUser -SearchBase $OU -Filter * -properties * 
#$users
Write-Progress -activity "Pre-load subfolders..."
Write-Host "Pre-Load subfolders..."
$SubFolders = Get-ChildItem -path $RootPath -recurse -ev err -ea SilentlyContinue| ? {$_.psIscontainer -eq $true}

foreach ($client in $users)
{
$username = $client.SamAccountName
$ms = ''
$TermACLAccess=''
$TermACL=''
$AccessRule = ''
$i = 1
$j = 0

$RootFolder = Get-Item $RootPath
Write-Progress -activity "Startling trawl of: $RootFolder"
Write-Host -activity "Startling trawl of: $RootFolder"
$idref = -join("YOURNETBIOSNAME\","$Username")
$TermACLAccess = ($RootFolder | Get-Acl).Access | Where {$_.IdentityReference -eq $idref} | Add-Member -MemberType NoteProperty -Name "Path" -Value $($RootFolder.fullname).ToString() -PassThru
if ($TermACLAccess.IdentityReference -eq $idref)
{
    #$TermACLAccess
    $TermACL = Get-Acl $TermACLAccess.path
    #$TermACL
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `
    ($TermACLAccess.identityreference, $TermACLAccess.FileSystemRights, $TermACLAccess.InheritanceFlags, $TermACLAccess.PropagationFlags, $TermACLAccess.AccessControlType) 
    #$AccessRule

    $TermACL.RemoveAccessRuleAll($AccessRule)
    Set-Acl -Path $TermACLAccess.path -AclObject $TermACL

    $MS = -join("Wiped: ","$username"," from RootFolder:","$RootFolder")
    $MS | out-file $termlog -Append 
    $emaillog.add("$MS")  
    $emaillog.add("$br")
    Write-Progress -activity "Wiped $Username from RootFolder: $RootFolder"
    Write-Host "Wiped $Username from RootFolder: $RootFolder"
    $found = $true

}

#$SubFolders
    if ($SubFolders -eq $null) {break}
        foreach ($SubFolder in $SubFolders)
        {
        $i++  
        $TermACLAccess=''
        $TermACL=''
        $AccessRule = ''
        $TermACLAccess = ($SubFolder | Get-Acl).Access | Where {$_.IdentityReference -eq $idref -and $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($SubFolder.fullname).ToString() -PassThru
        #$TermACLAccess
        Write-Progress -activity "Checking for: $username in: $subfolder... " -status "Cleared: $i of $($SubFolders.Count) folders... Located: $j instances." -percentComplete (($i / $SubFolders.Count)  * 100)
            if ($TermACLAccess.IdentityReference -eq $idref)
            {
            $j++
            $TermACL = Get-Acl $TermACLAccess.path
            #$TermACL
            $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `
            ($TermACLAccess.identityreference, $TermACLAccess.FileSystemRights, $TermACLAccess.InheritanceFlags, $TermACLAccess.PropagationFlags, $TermACLAccess.AccessControlType) 
            #$AccessRule

            $TermACL.RemoveAccessRuleAll($AccessRule)
            Set-Acl -Path $TermACLAccess.path -AclObject $TermACL
            $Pathy = $TermACLAccess.path
            Write-Progress -activity "Wiped $Username from SubFolder: $Pathy"
            Write-Host "Wiped $Username from SubFolder: $Pathy"
            $MS = -join("Wiped: ","$username"," from SubFolder:","$Pathy")
            $MS | out-file $termlog -Append 
            $emaillog.add("$MS")  
            $emaillog.add("$br")
            $found = $true
            }
        } 
}
if ($found = $true)
{
send-mailmessage -from "FolderRevocationReport@DOMAIN.DOMAIN" -to "SERVER@ADMINS.DOMAIN" -subject "Folder Permission Revocation Log" -body "The following actions have been taken and logged.<br> Log: '$termlog'  <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer YOUR.SMTP.RELAY
}

Comments

This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ