Here's a simple powershell script to remove NTFS permissions on a set of folders from a given root. Uses a list of users from a specific OU, but can quickly be edited for a single username. Any question about actual changes run without the set verbs. Always know what your running and use carefully! Simple logged output incase needed. See the highlighted portions for changing.


#######################################################################
################### Variables #########################################
#######################################################################
$RootPath = "\\WHAT.FOLDER.TO\CLEANUP
$OU = "OU=YOUROU,DC=DOMAIN,DC=DOMAIN" ## who to revoke 
#######################################################################
### Note: Its assumed Group Membership secure access will be removed ## 
### by separate term process ##########################################
#######################################################################


$date = Get-Date -format o
$date = $date -replace('/','--')
$date = $date -replace(':','-')
import-module activedirectory
$filename = -join("$date","___RevokeFolderPermsLog.csv")
$termlog = "\\YOUR.FILE.SHARE\Terms\FolderPermissionRevocation\$filename" 
$blk = ".",".",".","."
[System.Collections.ArrayList]$emaillog = $blk
$br="<br>"
$emaillog.add("$br")
$emaillog.add("$br")
$found = $false

Write-Progress -activity "Getting users in: $OU"
Write-Host "Getting users in: $OU"
$users = Get-ADUser -SearchBase $OU -Filter * -properties * 
#$users
Write-Progress -activity "Pre-load subfolders..."
Write-Host "Pre-Load subfolders..."
$SubFolders = Get-ChildItem -path $RootPath -recurse -ev err -ea SilentlyContinue| ? {$_.psIscontainer -eq $true}

foreach ($client in $users)
{
$username = $client.SamAccountName
$ms = ''
$TermACLAccess=''
$TermACL=''
$AccessRule = ''
$i = 1
$j = 0

$RootFolder = Get-Item $RootPath
Write-Progress -activity "Startling trawl of: $RootFolder"
Write-Host -activity "Startling trawl of: $RootFolder"
$idref = -join("YOURNETBIOSNAME\","$Username")
$TermACLAccess = ($RootFolder | Get-Acl).Access | Where {$_.IdentityReference -eq $idref} | Add-Member -MemberType NoteProperty -Name "Path" -Value $($RootFolder.fullname).ToString() -PassThru
if ($TermACLAccess.IdentityReference -eq $idref)
{
    #$TermACLAccess
    $TermACL = Get-Acl $TermACLAccess.path
    #$TermACL
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `
    ($TermACLAccess.identityreference, $TermACLAccess.FileSystemRights, $TermACLAccess.InheritanceFlags, $TermACLAccess.PropagationFlags, $TermACLAccess.AccessControlType) 
    #$AccessRule

    $TermACL.RemoveAccessRuleAll($AccessRule)
    Set-Acl -Path $TermACLAccess.path -AclObject $TermACL

    $MS = -join("Wiped: ","$username"," from RootFolder:","$RootFolder")
    $MS | out-file $termlog -Append 
    $emaillog.add("$MS")  
    $emaillog.add("$br")
    Write-Progress -activity "Wiped $Username from RootFolder: $RootFolder"
    Write-Host "Wiped $Username from RootFolder: $RootFolder"
    $found = $true

}

#$SubFolders
    if ($SubFolders -eq $null) {break}
        foreach ($SubFolder in $SubFolders)
        {
        $i++  
        $TermACLAccess=''
        $TermACL=''
        $AccessRule = ''
        $TermACLAccess = ($SubFolder | Get-Acl).Access | Where {$_.IdentityReference -eq $idref -and $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($SubFolder.fullname).ToString() -PassThru
        #$TermACLAccess
        Write-Progress -activity "Checking for: $username in: $subfolder... " -status "Cleared: $i of $($SubFolders.Count) folders... Located: $j instances." -percentComplete (($i / $SubFolders.Count)  * 100)
            if ($TermACLAccess.IdentityReference -eq $idref)
            {
            $j++
            $TermACL = Get-Acl $TermACLAccess.path
            #$TermACL
            $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `
            ($TermACLAccess.identityreference, $TermACLAccess.FileSystemRights, $TermACLAccess.InheritanceFlags, $TermACLAccess.PropagationFlags, $TermACLAccess.AccessControlType) 
            #$AccessRule

            $TermACL.RemoveAccessRuleAll($AccessRule)
            Set-Acl -Path $TermACLAccess.path -AclObject $TermACL
            $Pathy = $TermACLAccess.path
            Write-Progress -activity "Wiped $Username from SubFolder: $Pathy"
            Write-Host "Wiped $Username from SubFolder: $Pathy"
            $MS = -join("Wiped: ","$username"," from SubFolder:","$Pathy")
            $MS | out-file $termlog -Append 
            $emaillog.add("$MS")  
            $emaillog.add("$br")
            $found = $true
            }
        } 
}
if ($found = $true)
{
send-mailmessage -from "FolderRevocationReport@DOMAIN.DOMAIN" -to "SERVER@ADMINS.DOMAIN" -subject "Folder Permission Revocation Log" -body "The following actions have been taken and logged.<br> Log: '$termlog'  <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer YOUR.SMTP.RELAY
}