Removing advanced ntfs permissions in powershell

Similar Messages

• Most efficient/quickest way to set NTFS permissions in PowerShell

  Hello all,
  Trying to figure out what the most efficient/quickest way to set NTFS permissions via PowerShell is. I am currently using ICACLS but it is taking FOREVER as I can't figure out how to make inheritance work with this command.
  This has prompted me to begin looking at other options for setting NTFS permissions in PowerShell, and I wondered what everyone here likes to use for this task in PowerShell?

  Ah ok. Unfortunately, my ICACLS is taking FOREVER. Here is the code I'm using:
  ICACLS "C:\users\[user]\Desktop\test" /grant:r ("[user]" + ':r') /T /C /Q
  However:
  1.  I can't figure out how to make the inheritance parameter work with ICACLS
  2. If I do make the inheritance parameter work with ICACLS, I still need a way to add the permission to child objects that aren't inheriting.
  Any tips on how to improve performance of ICACLS?
  1. icacls folder /grant GROUPNAME:(OI)(CI)(F)  (i will post corrected code later, this works in CMD but not powershell couse of bracers)
  2.  get-childitem -recurse -force |?{$_.psiscontainer} |%{icacls ....}  (or u can list only folders where inheritance is disabled and apply icacls just on them)
  I think jrv and Mekac answered the first question about inheritance flags. I would just add that you probably don't want to use the /T switch with icacls.exe because that appears to set an explicit entry on all child items (that's probably why it's taking
  so long).
  For your second question, I'd suggest using the Get-Acl cmdlet. It throws terminating errors, so I usually wrap it in a try/catch block. Something like this might work if you just wanted the paths to files/folders that aren't inheriting permissions:
  dir $Path -Recurse | ForEach-Object {
  try {
  Get-Acl $_.FullName | where { $_.AreAccessRulesProtected } | ForEach-Object { Convert-Path $_.Path }
  catch {
  Write-Error ("Get-Acl error: {0}" -f $_.Exception.Message)
  return
  If you're looking for speed/performance, you don't want to just use the PowerShell Access Control (PAC) module that Mike linked to above by itself. It's implemented entirely in PowerShell, so it's incredibly slow right now (unless you use it along with Get-Acl
  / see below for an example). I'm slowly working on creating a compiled version that is much faster, and I think I'm pretty close to having something that I can put in the gallery.
  Since I wasn't sure which command would give you the best results, I used Measure-Command to test a few different ones. Each of the following four commands should do the exact same thing. Here are my results (note that I just ran the commands a few times
  and averaged the results on a test system; this wasn't very rigorous testing):
  # Make sure that this folder and user/group exist:
  $Path = "D:\TestFolder"
  $Principal = "TestUser"
  # Native PowerShell/.NET -- Took about 15 ms
  $Acl = Get-Acl $Path
  $Acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
  $Principal,
  "Read", # [System.Security.AccessControl.FileSystemRights]
  "ContainerInherit, ObjectInherit", # [System.Security.AccessControl.InheritanceFlags]
  "None", # [System.Security.AccessControl.PropagationFlags]
  "Allow" # [System.Security.AccessControl.AccessControlType]
  (Get-Item $Path).SetAccessControl($Acl)
  # PAC Module 3.0 w/ PowerShell/.NET commands -- Took about 35 ms
  $Acl = Get-Acl $Path | Add-AccessControlEntry -Principal $Principal -FolderRights Read -PassThru
  (Get-Item $Path).SetAccessControl($Acl)
  # icacls.exe -- Took about 40ms
  icacls.exe $Path /grant "${Principal}:(OI)(CI)(R)"
  # PAC Module 3.0 w/o Get-Acl -- Took about 350 ms
  Add-AccessControlEntry -Path $Path -Principal $Principal -FolderRights Read -Force
  Unless I messed something up, it looks like the native PowerShell/.NET commands are faster than icacls.exe, at least for modifying a single folder's DACL.

• Unable to set NTFS permissions on share using PowerShell. The user shows up with no rights checked off.

  I am having a little problem here with setting NTFS permissions via PowerShell. 
  Basically I am able to make a new directory on the share, and assign a user NTFS permissions however it just assigns the select user without any permissions set.
  $username = "test.user"
  $directory = "\\testlab-sv01\Share\newfolder"
  New-Item -Path $directory -ItemType Directory
  $colRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
  $objType =[System.Security.AccessControl.AccessControlType]::Allow
  $objUser = New-Object System.Security.Principal.NTAccount("$username")
  $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
  $objACL = Get-ACL $directory
  $objACL.AddAccessRule($objACE)
  Set-ACL $directory $objACL
  A side question, why isn't this native in Powershell? Is it for security reasons? I expected there to be a cmdlet for it. 
  Thanks. 
  Kyle

  When you say there are no permissions, do mean that the ACL Editor is showing 'Special permissions' and none of the other boxes are checked?
  Try changing the inheritance and propagation flags to this:
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit, ObjectInherit"
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
  That sets the ACE to apply to the folder (InheritOnly propagation flag isn't set) , subfolders (ContainerInherit inheritance flag is set), and files (ObjectInherit inheritance flag is set), which is necessary for the ACE to not be considered 'special' in
  the ACL Editor.
  Awesome. Thanks. That did work. 
  And yes I did mean that it was showing special permissions with nothing checked. 
  Kyle

• Changing ntfs permissions

  This is a basic question.
  I have a windows 2012 server standard with a windows 8 client.On the server is a share AfdelingProductie. This share is on the client mapped to the drive S: for the user Flo_Fli. The user creates a document test.txt in the drive.I file explorer on the client
  I open properties of the document. Then i choose tab security, button advanced. There I want to change the ntfs permissions by disabling inheritance, removing group and adding a group with adapting the permissions. When I click apply: I get the message:access
  denied. Is it normal that I cannot change the ntfs permissions as owner with full control on the client?

  Hi,
  Please give the everyone group full control for share permission and then to change the NTFS permission.
  Regards.
  Vivian Wang

• Defining NTFS Permissions for High Volume Security

  The default NTFS file permissions for the boot volume in Windows 8.1 appear to give Modify access to "Authenticated Users".   That is really permissive.   I have a lot of folders I do not want anyone not authenticated as Administrator
  to touch.   Of course I could change every folder manually and test for side effects, but I am hoping someone has already tested this and has published a document.   I am looking for a detailed description of how to secure the volume so that ordinary
  users cannot modify attributes, filenames, or data for most files on the volume.
  Will

  Ronald, thanks for your reply.  Now we are talking the right topic.    
  1) How did you modify the root permissions?  One way to do that might be to remove Modify and Create authority for the "Authenticated Users" entity and replace that with just Read & Execute.
  2) I understand that Microsoft tightened things to prevent normal users from having modify access inside subfolders.   This works fine for well behaved applications that use things like the "Program Files" subfolder.   Unfortunately, many
  applications are badly behaved and put themselves directly under the root of the boot volume.  AMD for example puts its video drivers in c:\amd by default.     Since that folder inherits from the root, and the root gives permissive access to
  users to create and modify files, now many sensitive DLLs in this install folder could be easily modified by any user.
  One of the worst viruses I ever had was a denial of service virus that acted simply by hiding every single file on your file system.   We had locked down NTFS permissions but had forgotten to lock down file attributes.   It took forever to recover
  from that.   
  So, bottom line, I like to run as tight a file security as possible, and I like to stay logged in as a normal user and greatly restrict what normal users can change.    
  Microsoft definitely tightened things up in Windows 8 and that's great.
  Will

• Renaming folder resets NTFS permissions

  Hi
  I have installed a new file server, running Server 2012 R2. I have created a shared folder and set the NTFS permissions. I then renamed the folder and noticed that the NTFS permissions had ben removed and reset.
  I have never seen this behavior before, and I find it a bit worrying???
  Lasse
  /Lasse

  Hi Amy
  The steps I initially did:
  1. Create folder in the root of D:
  2. Disabled inheritance
  3. Added the necessary permissions (The user I use is a domain admin, and is also added)
  4. Shared the folder to Everyone with full control
  5. Right click on the shared folder and selected rename and gave the folder a different name
  6. Vupti dupti, the permissions has changed to the following:
  SYSTEM
  MY USERNAME
  Administrators (LocalServer\Administrators)
  I have just done the same thing on a different server, and it's the exact same behavior, both servers running Server 2012 R2.
  I have also tested it on a Server 2008 R2, and it gives me the same warning as you and if I press continue the folder is renamed and the permissions has NOT been changed.
  So it seems to be a Server 2012 R2 "issue".
  /Lasse

• Making NTFS permissions read/write without ability to create/delete folders

  Out at one of our job sites we have a server running Windows Server 2012 R2 that's got a file share accessible to our onsite people. Our project managers have devised a very strict folder structure for this file share, and for auditing purposes they want
  to stick as close to this structure as possible.
  Therefore, although people onsite must have read/write access to create, modify and delete files, they do not want them to be able to create or delete folders. They want them to use the existing folders and not tuck stuff away into folders that no one knows
  exists except the person who created them.
  The closest way I've found to do this is to deselect the advanced permissions 'Create folders / append data' and 'Delete subfolders and files.' This has a few side effects however, the most noticeable being that due to not being able to append data to files,
  certain files (such as CAD drawings) can't be edited by anyone except the person who created them.
  Is there a way using just NTFS permissions to accomplish what the project managers want? And if not, are there any useful third-party utilities that will help us do this?
  Thanks in advance for any assistance.

  Hi,
  I'm not much familiar with AutoCAD- what's the exact behavior which is stopped by the restricted folder permission?
  For example, if AutoCAD will create a folder in editing, we will not have a solution as users needed to create folders so that AutoCAD could run properly. 
  And if AutoCAD works like Office files, that create a temp file for editing, this will be the solution:
  1. Give Domain Admins - Full Control - This folder, subfolders and files.
  This is to allow all admin could access and edit all data.
  2. Give SpecificUsers group (a group contain all normal users) - Full Control without "Change permissions" and "Take Ownership" -
  Files Only.
  This is to give that group most permissions to create, edit and delete files but not Folders.
  3. Give SpecificUsers group another permission:
  Traverse folder
  List FOlder
  Read Attributes
  Read extended attributes
  Create files - this is important. Without this permission you will not able to save Office files. 
  Read permissions.
  Give above permissions to "This Folder, subfolders and files".
  This is to allow users to access all subfolders. 
  If you have any feedback on our support, please send to [email protected]

• Can't rename a single file to autorun.inf even all ntfs permissions are correct

  I have this odd problem:
  Logged in as Domin Administrator I couldn't  rename or open for editing an existing file "autorun.inf" even though all the ntfs permissions were correct. Every other files in the same directory (mainly .swf, .docx, .js and .htm files)
  are both editable and can be renamed.
  When I deleted the file "autorun.inf" from the folder and tried to create a new one with the same name, OS (Windows Server 2008 R2) notifies me that I "need permission to perform this action". Furthermore OS notifies me that "You
  require special permission from Administrators to make changes to this file". Neither can I copy a file named "autorun.inf" from another location to this folder. This is in spite of being logged in as Domain Admin.
  In short: I can't create a file called autorun.inf in a folder!
  Could  there be some kind of extra locking concerning files named autorun.inf i.e. some protective mechanism in this particular folder's permissions or SRV2008R2 itself that I've missed. All the other folders allow me to create whatever files i like
  into them.
  I would very much appreciate if anybody can help me with this.

  Yes, by default that will block any access to autorun.ini files. We use the same, so the issue sounded familiar, and of that I asked specificly to that :)
  Best Regards,
  Jesper Vindum, Denmark
  Systems Administrator
  Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

• Unexpected NTFS permissions behavior

  I am administering a home server running Windows 2008 R2 (accessed by several Windows 8.1 clients) and have run into an NTFS permissions issue I do not understand.
  On this server there is a S drive that contains all the online storage for our network.
  The structure of the S drive looks like this:
  Files
    Public
      VariousPublicFolders
    Private
      Person1
        Person1sStuff
      Person2
        Person1sStuff
  Temp
  Before any security modifications were made, the root of the S drive had the following permissions:
  SYSTEM : Full Control
  Administrators : Full Control
  Users : Read and Execute
  Also, all the above folders on this drive are owned by the Administrators group.
  Then I started changing permissions in order to satisfy my security requirements.
  For example, I disinherited permissions on Temp and allowed "Everyone" Full Control there.
  That works fine.
  What doesn't work fine is the permissions I am trying to set on the personal folders under the Private tree.
  I want to make sure no one else (other than administrators) has access to anyone's personal data  (the data in the Person1, Person2, etc folders).
  So I disinherted permissions on each of those folders and then explicity set the following:
  SYSTEM : Full Control
  Administrators : Full Control
  PersonX : Full Control
  This, I thought should work beautifully.
  I thought it should give each person full control of what happens in their personal folder, and also allow administrators and the system to get in there.
  But it is giving people in the Administrators group problems.
  I have a user called Custodian which is part of the Administrators group, and I use this user to do administrative tasks.
  As Custodian, when I try to access someone's personal folder in Explorer I am greeted with a message that says "You don't currently have permission to access this folder."
  Whaaaaat?
  I am offered "Click continue to permanently get access to this folder."
  If I say YES then Custodian is explicitly added to the folder ACL, and I can proceed to access the files there.
  But I don't want this.
  Custodian is already an Administrator, and Administrators already have full control of the folder.  Why should I even be prompted, and even worse, have my user unnecessarily added to the ACL?
  This is bad bad bad.
  I think what is going on is that UAC is coming into play.  I read somewhere that Administrators normally do not use their administrative token until they hit something that requires it, then UAC kicks in and asks to elevate them.  This would be
  fine if it happened.  I guess I wouldn't mind having to click OK to enter a folder that requires admin access.  But this is not what is happening.  I am just blanket denied until I explicitly add the Custodian account to the ACL.
  Can someone explain why an admin user is denied access to a folder having full control given to admins?  What is going on here?
  Can someone suggest a way to rig permissions so that my admin user doesn't have to be added explicity?
  I just want to be able to browse and alter the entire drive with ANY administrative user without being bothered to alter permissions.  I don't even mind being prompted for elevation, although honestly I'd prefer not to have that happen either.

  Thank you, Milos, for taking the time to look at this.
  RE: Making the post shorter, I'm not sure I could.  It's not an easy problem to state, and I tried to do so in as few words as possible, any less and I would be leaving out critical info.
  Here are your questions, answered.
  (2) Yes, I am using a workgroup.
  (3) An example calcs output
  S:\Files\Private\Scott DATABANK\Scott:(OI)(CI)F
                         BUILTIN\Administrators:(OI)(CI)F
                         NT AUTHORITY\SYSTEM:(OI)(CI)F
  (4) The share permissions are full, yes, but this is immaterial.  I suffer the problem accessing the files locally/directly on the server.  I probably shouldn't have mentioned anything about the share.  It's just that the problem came to light
  while I WAS accessing the files through the share, but then I tried locally and still had the problem.
  I am unsure of what you mean in (5) (6) (7).  Could you elaborate?

• NTFS permissions - Only access to folders created by the user himself

  Hi,
  I once came by an TechNet article explaining how to set up the NTFS permission on a shared folder, so the users would have rights to create a subfolder, and then only have access to this folder, and none of the co-existing folders on the same level, created
  by similiar users.
  So in details, I have shared a folder called backup$, where the users needs access to create their own subfolder (will be done automatically by a script). And in case they would need to browse their way to the full path, I need to make sure, they won't be
  able to access folders created by other users.
  Any help is much appreciated.
  Martin Bengtsson | www.imab.dk

  Hi,
  I am not clear what are the rights you will set through the script for each sub-folder. You can verify, your settings using
  Effective Permission tool.
  You can more about Effective Permissions from the below URLs.
  http://technet.microsoft.com/en-us/library/cc772184.aspx
  http://technet.microsoft.com/en-us/magazine/2006.01.howitworksntfs.aspx
  <hr/>
  <br/>
  Regards,<br/>
  Jack<br/>
  <a href=http://www.jijitechnologies.com>JiJi Technologies</a>
  I'm sorry if my question is not clear. I'm looking for the correct NTFS permissions to set on the shared folder. No permissions are being set in the script.
  Martin Bengtsson | www.imab.dk

• Removing Advanced Pulldown from AVI files

  I've recently switched from Vegas 4.0 to Final Cut Pro 5.1 and I'm trying to remove the advanced pulldown from my AVI files. I tried using Cinema Tools and it could not use the AVI. Then I tried using FCP tools/remove advanced pulldown option and the file went offline. Can sombody tell me how to do this?
  Thanks

  It wasn't out of sync before. I shot it on the Panasonic DVX100 in 24pa. Removed the pulldown and edited the film in Vegas. Now I want to transfer it to FCP change it to 16X9 and make a 16X9 24P DVD in DVD Studio Pro. When I did copy it back to tape from Vegas I used LP instead of SP so I could fit the entire movie on a mini dv tape. Maybe that has something to do with it not being able to remove the pulldown during capture? I think I'm going to try and split it up into 2 tapes and record sp mode.
  Mac Pro 2.66   Mac OS X (10.4.7)   FCS

• Local NTFS permissions needed for Palm software?

  Does anyone know the NTFS permissions needed on the local computer for a standard user to run the Palm software?
  Post relates to: Palm TX

  Hello Cajuntank and welcome to the Palm forums.
  Palm Desktop needs to be installed with the local administrator priviledge during the install of Palm Desktop, the HotSync Manager, the first HotSyn sync, and the installation of any third-party conduits on the desktop.
  After that, the local admin rights can be revoked.
  Alan G

• How to create sharepoint Group with read only permissions using powershell for entire site ?

  How to create sharepoint Group with read only permissions using powershell for entire site (including subsites and top level site)

  Hi
  using (SPSite site = new SPSite(url))
  using (SPWeb web = site.OpenWeb())
  SPUserCollection users = Web.AllUsers;
  SPUser owner = users[string.Format("{0}{1}", "Domain", "Owner Username")];
  SPMember member = users[string.Format("{0}{1}", "Domain", "Default Member Username")];
  SPGroupCollection groups = Web.SiteGroups;
  string GroupName = “Super Exclusive”;//your group name
  string GroupDescription = “Super exclusive group description.”;
  groups.Add(GroupName, owner, member, GroupDescription);
  SPGroup NewSPGroup = groups[GroupName];
  SPRoleDefinition role = Web.RoleDefinitions["Read"];
  SPRoleAssignment roleAssignment = new SPRoleAssignment(NewSPGroup);
  roleAssignment.RoleDefinitionBindings.Add(role);
  Web.RoleAssignments.Add(roleAssignment);
  Web.Update();
  Please 'propose
  as answer' if it helped you, also 'vote
  helpful' if you like this reply.

• Coldfusion ignoring NTFS permissions

  I have seen a few older posts that have presented this same issue, but there was no resolution in the thread.  I have posted on those threads asking if they found a solution, however thought I would present the issue myself and hopefully someone has a fix/workaround.
  CF10, W2008R2, IIS 7.5. Using a group with NTFS permissions and trying to limit the access to the pages.  Anyone can view the page if putting in a username and password in the Windows security popup, click ok and immediately prompted again, click cancel and you can see the page contents.  Tested with an html page and html page is blocked properly.  It is my understanding that IIS passes the control to cf, cf diplays the cfm page. 
  Since this is IIS 7.5, the checkbox for check if file exists that was working in IIS6 isn't there any longer, it is now items under Handler Mappings.  I saw in one thread dscussion about editing a wildcard mapping, but it was vague, and didn't have the settings I need to fix this, or I did not understand based on what I see on our server.  I have set the .cfmHandler to "file" , and that did not work. I do not see a wildcard handler in the name column, however there are * in the path column, so it wasn't clear what really is the magic wildcard mapping I am looking for.
  I cannot believe this issue has existed since IIS7, and there is no clear guidance on the topic. Someone has to have figured it out... bypassing NTFS permissions and not being able to restrict access to a group is not a small issue, in my opinion anyway. I have searched all over the place, hopefully someone here knows what the magic answer is...
  Thanks!
  Tanya

  Tanya,
  This may not be what you want to hear, but I don't think you can get CF to play by NTFS rules with IIS 7+.  Since IIS hands off processing to .cfm/.cfc files to ColdFusion, it can't enforce NTFS permissions.  I think CF developers typically rely on a security system within their ColdFusion application to determine who can access which .cfm files or folders.  So programatically you check the credentials of the user and determine if they are supposed to be able to access a particular .cfm file, and redirect them if they are not.  Some use the <cflogin> features of ColdFusion; others roll their own.
  I could be completely off about this, though.  Do you use Application.cfc in your apps, or Application.cfm?  That may have a bearing as well.
  -Carl V.

• Remove Advanced Pulldown and Duplicate Frames

  I've been researching this but still have not figured it out:
  When I import Canon XF100 footage shot in 24fps from my CF card into FCP 7, in the "Log and Transfer" window under "Preferences", should I check or uncheck "Remove Advanced Pulldown and Duplicate Frames"?  My thought was to uncheck the box since it is a function specific to P2 cards and that it wouldn't make a difference either way for my footage.  Also (and I could be wrong), I didn't think any pulldown was necessary since I was shooting in 24fps.  However, when I examined 2 test clips taken through both paths, there was one noticeable difference: the unchecked clip is larger (644.8MB) than the checked (582.8MB).   Hmmmm....
  Does this mean the footage changes based on if that box is checked or not? 
  And in my shooting/import scenario, should I check or uncheck that box?
  Thank you.

  23.98 and 23.98
  > I have a few different cameras and some need pulldown and some don't but I've always left it checked under the > assumption that if there's nothing to pulldown it can't/won't and everything has been fine.
  good to know.  i agree.  based on my conversations with the canon xf software folks, they were not entirely sure whether or not to check the box, so it doesn't seem to be a significant impact on the work flow.
  thanks all for your input.