PowerScript ACL folder access remove user groups privlages

0
votes

Using a Powershell script, How do you remove the Domain User group access to a folder?

Info:

In short I am setting up personal folder for my users. I have scripted the following. It created user folders and sets permissions. It is then suppose to remove read abilities from the Domain user group for the newly created folder. The script runs with no errors but it will not remove the Domain Users read permissions. I would dump the group entirely but have not figured that part out yet. The block of commented code was giving errors so I went around it for now.

Script:

PARAM($Alias)

# Assign Drive letter/Home Drive Active Directory user 
$HomeDrive=’U:’

$UserRoot=’\\server\User_data\’

$HomeDirectory=$UserRoot+'ittest'

SET-ADUSER ittest  –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory 



# Create the folder on the root of the common Users Share



NEW-ITEM –path $HomeDirectory -type directory -force 

$Domain=’Domain’

$HomeFolderACL=GET-ACL $HomeDirectory 

$IdentityReference=$Domain+’\’+'ittest' 


# Set parameters for Access rule


#$FileSystemAccessRights= [System.Security.AccessControl.FileSystemRights]::FullControl

#$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]::ContainerInherit
#$InheritanceFlags2=[System.Security.AccessControl.InheritanceFlags]::ObjectInherit

#$PropagationFlags=[System.Security.AccessControl.PropagationFlags]::None

#$AccessControl=[System.Security.AccessControl.AccessControlType]::Allow

#$UserAccess=New-Object System.Security.Principal.NTAccount($IdentityReference)

# Build Access Rule from parameters


#$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($UserAccess,$InheritanceFlags,$IdentityReference,$FileSystemAccessRights,$PropogationFlags,$AccessControl)

$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($IdentityReference,[System.Security.AccessControl.FileSystemRights]::FullControl,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow)



# Get current Access Rule from Home Folder for User


$HomeFolderACL.AddAccessRule($AccessRule)

SET-ACL –path $HomeDirectory -AclObject $HomeFolderACL



# Remove "domain user" read Access Rule from parameters

$domainuser =$Domain+’\’+'Domain Users' 

$objUser = New-Object System.Security.Principal.NTAccount($domainuser)


$AccessRule2 = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($objUser,[System.Security.AccessControl.FileSystemRights]::READ,[System.Security.AccessControl.InheritanceFlags]::NONE,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::allow)


#Get current Access Rule from Home Folder for User


$HomeFolderAclRead= GET-ACL $HomeDirectory


$HomeFolderAclRead.RemoveAccessRule($AccessRule2)
SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead

Thank you to all who replied and stream lined the code. Unfortunately it works up to the same point as the original code and provides this error.

  # Set the ACLs for the path with the user added and the Domain Users group removed from the rule set
    SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead

NEW-OBJECT : Cannot find an overload for "FileSystemAccessRule" and the argument count: "6". At line:25 char:15 + $AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($Us ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [New-Object], MethodException + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand True Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null. At line:40 char:41 + SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Set-Acl], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAclCommand

The error is related to how it working with the variable and the constructor.

If I Change this

$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($UserAccess,$InheritanceFlags,$IdentityReference,$FileSystemAccessRights,$PropogationFlags,$AccessControl)

To 

$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($IdentityReference,[System.Security.AccessControl.FileSystemRights]::FullControl,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow)

The script will continue but will give this error instead.

Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null. At line:41 char:41 + SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Set-Acl], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAclCommand

2
powershell
Thanks you all i have updated my issue to show the results of the code.PCGIZMO

2 Answers

1
votes

You aren't real specific here, so I'm going to make some assumptions. It looks like your folder already has Domain\Domain User access setup through inheritance or something. If that's the case you do not need to create a rule like you are, the rule exists already, so you can just remove it.

#Create Domain Users object
$DomUsers = New-Object System.Security.Principal.NTAccount("$Domain\Domain Users")
#Get ACLs for folder
$ACLs = Get-ACL $HomeDirectory
#Loop through Access Rules for the ACLs matching any that match the Domain Users object, and tell the ACL object to remove that rule
$ACLs | Select -ExpandProperty Access | 
    Where{ $_.IdentityReference -eq $DomUsers } | 
    ForEach{ $ACLs.RemoveAccessRule($_) }
#Set the new set of ACLs back to the folder.
Set-ACL $HomeDirectory -ACLObject $ACLs

This will work with the existing rules, instead of trying to re-create the rule to be removed. That way you don't have to worry about getting the rule to be exact, because if the rule you make isn't exactly like the rule you're trying to remove it won't actually remove it, even if it is something stupid like the rule has different inheritanceflags or something.

I updated your script, and it should do what you want now with these modifications (you will need to update your Domain name):

PARAM($Alias="ittest")

# Assign Drive letter/Home Drive Active Directory user 
$HomeDrive=’U:’
$UserRoot=’\\server\User_data\’
$HomeDirectory=$UserRoot+$Alias

SET-ADUSER $alias –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory 

# Create the folder on the root of the common Users Share
NEW-ITEM –path $HomeDirectory -type directory -force | Out-Null

$Domain=’Domain’
$HomeFolderACL=GET-ACL $HomeDirectory 
$IdentityReference= "$Domain\$Alias"

# Set parameters for Access rule
$FileSystemAccessRights= [System.Security.AccessControl.FileSystemRights]"FullControl"
$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit"
$PropagationFlags=[System.Security.AccessControl.PropagationFlags]::None
$AccessControl=[System.Security.AccessControl.AccessControlType]::Allow
$UserAccess=New-Object System.Security.Principal.NTAccount($IdentityReference)

# Build Access Rule from parameters
$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($UserAccess,$InheritanceFlags,$IdentityReference,$FileSystemAccessRights,$PropogationFlags,$AccessControl)

# Add Access Rule to the Home Folder rule set for User
$HomeFolderACL.AddAccessRule($AccessRule)

### Remove "domain user" read Access Rule from parameters ###
# Create Domain Users object
$DomUsers = New-Object System.Security.Principal.NTAccount("$Domain\Domain Users")

# Loop through Access Rules for the ACLs matching any that match the Domain Users object, and tell the ACL object to remove that rule
$HomeFolderACL | Select -ExpandProperty Access | 
    Where{ $_.IdentityReference -eq $DomUsers } | 
    ForEach{ $HomeFolderACL.RemoveAccessRule($_) }

# Set the ACLs for the path with the user added and the Domain Users group removed from the rule set
SET-ACL –path $HomeDirectory -AclObject $HomeFolderAclRead
0
votes

Here is the final script I ended up using Thanks for all the help!

PARAM($Alias)

# Import active directory module for running AD cmdlets
Import-module ActiveDirectory

#Store the data from UserList.csv in the $List variable

$List1 = Get-ADGroupMember -identity "FilteredDomainUsers" | select  samaccountname | Export-csv  C:\export\temp_file1.csv

$list2 = Import-CSV -header samaccountname  C:\export\temp_file1.csv


#Loop through user in the CSV
ForEach ($User in $List2)
{
$UserString =  $User | select-object

$string = $UserString.samaccountname
$string1=$string.ToString()



write-output $string1 


# Assign Drive letter/Home Drive Active Directory user 
$HomeDrive=’U:’

$UserRoot=’\\Server\User_data\’

$HomeDirectory=$UserRoot+ $String1

SET-ADUSER $string1  –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory 


# Create the folder on the root of the common Users Share


NEW-ITEM –path $HomeDirectory -type directory -force 

$Domain=’domain’

$HomeFolderACL=GET-ACL $HomeDirectory 

$IdentityReference=$Domain+’\’+$String1
write-output $IdentityReference
# Set parameters for Access rule



# Build Access Rule from parameters


$AccessRule = NEW-OBJECT System.Security.AccessControl.FileSystemAccessRule ($IdentityReference,  [System.Security.AccessControl.FileSystemRights]::FullControl,[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.PropagationFlags]::None,[System.Security.AccessControl.AccessControlType]::Allow)


# Get current Access Rule from Home Folder for User


$HomeFolderACL.AddAccessRule($AccessRule)

SET-ACL –path $HomeDirectory -AclObject $HomeFolderACL


write-output $string1

 }