Solved

Remove Inherited Permission After Previous Attempt Canceled

Posted on 2013-12-10
8
396 Views
Last Modified: 2013-12-12
I was attempting to remove a user permission from a large folder tree on a Windows Server 2008 R2 machine but I accidentally canceled the operation part way through.  This left the root and some sub-folders without the permission and other sub-folders with the permission.  Each sub-folder has an inherited set of permissions but it also has individual permissions so I can't just overwrite the all permissions from the root.  Nor can I manually go to each folder and delete the permission because it is inherited from the root.  I tried icacls *.* /remove "DOMAIN\User" /T and it went through and said it processed all of the files and folders but when I looked in Windows Explorer, nothing had changed.  Is there anyway of continuing the original delete process or do I have to add the user back and then remove the user again?
0
Comment
Question by:CIPortAuthority
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Expert Comment

by:Carl Bohman
ID: 39708483
There's no way to continue where you left off.  All you can do is perform the action again.

Did you execute the command in an administrative command prompt?  (I'm fairly certain it will not work unless you do.)

Have you tried executing that command on a specific directory rather than on *.*?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39708563
if you have root folder ownership, and if you have already removed user from root folder NTFS permissions, then simply what you can do, just go to root folder advanced security permissions and check their "Replace permissions" option at bottom and click apply

This will remove the user from all sub folders and files if remained.

Note that this will remove those users as well which you have explicitly added on any sub folders but not listed in root folder security ACL

Mahesh
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 250 total points
ID: 39708708
You can use below mentioned powershell script to remove "Domain\user" from all subfolders.

This script is tested. Make sure executing powershell script is allowed in Windows 2008.





$user = 'domain\user' 
$folders = "F:\FOLDER" 
$acls = Get-Acl -path $folders 
$outputObject = @() 

Foreach($acl in $acls) 
{ 
 $folder = (convert-path $acl.pspath) 
  
  Foreach($access in $acl.access) 
  { 
    Foreach($value in $access.identityReference.Value) 
     { 
       if ($value -eq $user) 
          { 
           $acl.RemoveAccessRule($access) | Out-Null 
          } 
     } #end foreach value 
  } # end foreach access 
 Set-Acl -path $folder -aclObject $acl 
$i++ 
} 

Open in new window

0
 

Author Comment

by:CIPortAuthority
ID: 39709793
@MaheshPM: I can't do the replace permissions thing because each sub-folder has some non-inherited permissions.  I would have to go back to each sub-folder and re-add these permissions.
@bounsy: I can't retry it because the permission I want to remove no longer exists at the base folder and I can't remove it from the unprocessed sub-folders because it is an inherited permission.
@ram_kerala: I am trying your script now and will post back when I have results.

Thanks to everyone for the quick replies.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:CIPortAuthority
ID: 39709833
@ram_kerala:  Your script won't work properly in this case.  I should have mentioned that this folder tree is the store for our roaming profiles.  Each sub-folder under the root is owned by the user who's profile it is (this is also why each folder has different permissions).  When I try and run your script, I get a "The security identifier is not allowed to be the owner of this object".  It seems the set-acl command will only work if the file is owned by the user running the command.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39709840
Did you started powershell with admin privileges ?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39710555
Like I said in my 1st comment, you must take ownership of root folder.
You can try subinacl tool to get ownership 1st
Logon to server as domain admins or account having built-in administrators group membership

Syntax:
subinacl /noverbose /subdirectories "D:\Sharefolderroot\*" /setowner=domain\user

OR

subinacl /noverbose /subdirectories "D:\Sharefolderroot\" /setowner=domain\user

Then you can try with either manual method I suggested or script provided by Ram
Subinacl can be downloaded from below link
http://www.microsoft.com/en-in/download/details.aspx?id=23510

Mahesh
0
 

Author Comment

by:CIPortAuthority
ID: 39713880
In the end, I just re-added the permission back and then removed it again.  It just seemed easier to do then trying all the command line and scripting stuff.  Thanks for all your suggestions though.
0

Featured Post

Being driven mad by email signature updates?

Having to make a change to your users’ email signatures, yet again? Feel like your head is going to explode? Rely on an Exclaimer email signature management solution to make the process simple!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now