Solved

Remove Inherited Permission After Previous Attempt Canceled

Posted on 2013-12-10
8
401 Views
Last Modified: 2013-12-12
I was attempting to remove a user permission from a large folder tree on a Windows Server 2008 R2 machine but I accidentally canceled the operation part way through.  This left the root and some sub-folders without the permission and other sub-folders with the permission.  Each sub-folder has an inherited set of permissions but it also has individual permissions so I can't just overwrite the all permissions from the root.  Nor can I manually go to each folder and delete the permission because it is inherited from the root.  I tried icacls *.* /remove "DOMAIN\User" /T and it went through and said it processed all of the files and folders but when I looked in Windows Explorer, nothing had changed.  Is there anyway of continuing the original delete process or do I have to add the user back and then remove the user again?
0
Comment
Question by:CIPortAuthority
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Expert Comment

by:Carl Bohman
ID: 39708483
There's no way to continue where you left off.  All you can do is perform the action again.

Did you execute the command in an administrative command prompt?  (I'm fairly certain it will not work unless you do.)

Have you tried executing that command on a specific directory rather than on *.*?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39708563
if you have root folder ownership, and if you have already removed user from root folder NTFS permissions, then simply what you can do, just go to root folder advanced security permissions and check their "Replace permissions" option at bottom and click apply

This will remove the user from all sub folders and files if remained.

Note that this will remove those users as well which you have explicitly added on any sub folders but not listed in root folder security ACL

Mahesh
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 250 total points
ID: 39708708
You can use below mentioned powershell script to remove "Domain\user" from all subfolders.

This script is tested. Make sure executing powershell script is allowed in Windows 2008.





$user = 'domain\user' 
$folders = "F:\FOLDER" 
$acls = Get-Acl -path $folders 
$outputObject = @() 

Foreach($acl in $acls) 
{ 
 $folder = (convert-path $acl.pspath) 
  
  Foreach($access in $acl.access) 
  { 
    Foreach($value in $access.identityReference.Value) 
     { 
       if ($value -eq $user) 
          { 
           $acl.RemoveAccessRule($access) | Out-Null 
          } 
     } #end foreach value 
  } # end foreach access 
 Set-Acl -path $folder -aclObject $acl 
$i++ 
} 

Open in new window

0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:CIPortAuthority
ID: 39709793
@MaheshPM: I can't do the replace permissions thing because each sub-folder has some non-inherited permissions.  I would have to go back to each sub-folder and re-add these permissions.
@bounsy: I can't retry it because the permission I want to remove no longer exists at the base folder and I can't remove it from the unprocessed sub-folders because it is an inherited permission.
@ram_kerala: I am trying your script now and will post back when I have results.

Thanks to everyone for the quick replies.
0
 

Author Comment

by:CIPortAuthority
ID: 39709833
@ram_kerala:  Your script won't work properly in this case.  I should have mentioned that this folder tree is the store for our roaming profiles.  Each sub-folder under the root is owned by the user who's profile it is (this is also why each folder has different permissions).  When I try and run your script, I get a "The security identifier is not allowed to be the owner of this object".  It seems the set-acl command will only work if the file is owned by the user running the command.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39709840
Did you started powershell with admin privileges ?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39710555
Like I said in my 1st comment, you must take ownership of root folder.
You can try subinacl tool to get ownership 1st
Logon to server as domain admins or account having built-in administrators group membership

Syntax:
subinacl /noverbose /subdirectories "D:\Sharefolderroot\*" /setowner=domain\user

OR

subinacl /noverbose /subdirectories "D:\Sharefolderroot\" /setowner=domain\user

Then you can try with either manual method I suggested or script provided by Ram
Subinacl can be downloaded from below link
http://www.microsoft.com/en-in/download/details.aspx?id=23510

Mahesh
0
 

Author Comment

by:CIPortAuthority
ID: 39713880
In the end, I just re-added the permission back and then removed it again.  It just seemed easier to do then trying all the command line and scripting stuff.  Thanks for all your suggestions though.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question