Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Remove Inherited Permission After Previous Attempt Canceled

Posted on 2013-12-10
8
Medium Priority
?
404 Views
Last Modified: 2013-12-12
I was attempting to remove a user permission from a large folder tree on a Windows Server 2008 R2 machine but I accidentally canceled the operation part way through.  This left the root and some sub-folders without the permission and other sub-folders with the permission.  Each sub-folder has an inherited set of permissions but it also has individual permissions so I can't just overwrite the all permissions from the root.  Nor can I manually go to each folder and delete the permission because it is inherited from the root.  I tried icacls *.* /remove "DOMAIN\User" /T and it went through and said it processed all of the files and folders but when I looked in Windows Explorer, nothing had changed.  Is there anyway of continuing the original delete process or do I have to add the user back and then remove the user again?
0
Comment
Question by:CIPortAuthority
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Expert Comment

by:Carl Bohman
ID: 39708483
There's no way to continue where you left off.  All you can do is perform the action again.

Did you execute the command in an administrative command prompt?  (I'm fairly certain it will not work unless you do.)

Have you tried executing that command on a specific directory rather than on *.*?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39708563
if you have root folder ownership, and if you have already removed user from root folder NTFS permissions, then simply what you can do, just go to root folder advanced security permissions and check their "Replace permissions" option at bottom and click apply

This will remove the user from all sub folders and files if remained.

Note that this will remove those users as well which you have explicitly added on any sub folders but not listed in root folder security ACL

Mahesh
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 1000 total points
ID: 39708708
You can use below mentioned powershell script to remove "Domain\user" from all subfolders.

This script is tested. Make sure executing powershell script is allowed in Windows 2008.





$user = 'domain\user' 
$folders = "F:\FOLDER" 
$acls = Get-Acl -path $folders 
$outputObject = @() 

Foreach($acl in $acls) 
{ 
 $folder = (convert-path $acl.pspath) 
  
  Foreach($access in $acl.access) 
  { 
    Foreach($value in $access.identityReference.Value) 
     { 
       if ($value -eq $user) 
          { 
           $acl.RemoveAccessRule($access) | Out-Null 
          } 
     } #end foreach value 
  } # end foreach access 
 Set-Acl -path $folder -aclObject $acl 
$i++ 
} 

Open in new window

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:CIPortAuthority
ID: 39709793
@MaheshPM: I can't do the replace permissions thing because each sub-folder has some non-inherited permissions.  I would have to go back to each sub-folder and re-add these permissions.
@bounsy: I can't retry it because the permission I want to remove no longer exists at the base folder and I can't remove it from the unprocessed sub-folders because it is an inherited permission.
@ram_kerala: I am trying your script now and will post back when I have results.

Thanks to everyone for the quick replies.
0
 

Author Comment

by:CIPortAuthority
ID: 39709833
@ram_kerala:  Your script won't work properly in this case.  I should have mentioned that this folder tree is the store for our roaming profiles.  Each sub-folder under the root is owned by the user who's profile it is (this is also why each folder has different permissions).  When I try and run your script, I get a "The security identifier is not allowed to be the owner of this object".  It seems the set-acl command will only work if the file is owned by the user running the command.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39709840
Did you started powershell with admin privileges ?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 1000 total points
ID: 39710555
Like I said in my 1st comment, you must take ownership of root folder.
You can try subinacl tool to get ownership 1st
Logon to server as domain admins or account having built-in administrators group membership

Syntax:
subinacl /noverbose /subdirectories "D:\Sharefolderroot\*" /setowner=domain\user

OR

subinacl /noverbose /subdirectories "D:\Sharefolderroot\" /setowner=domain\user

Then you can try with either manual method I suggested or script provided by Ram
Subinacl can be downloaded from below link
http://www.microsoft.com/en-in/download/details.aspx?id=23510

Mahesh
0
 

Author Comment

by:CIPortAuthority
ID: 39713880
In the end, I just re-added the permission back and then removed it again.  It just seemed easier to do then trying all the command line and scripting stuff.  Thanks for all your suggestions though.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question