CIPortAuthority
asked on
Remove Inherited Permission After Previous Attempt Canceled
I was attempting to remove a user permission from a large folder tree on a Windows Server 2008 R2 machine but I accidentally canceled the operation part way through. This left the root and some sub-folders without the permission and other sub-folders with the permission. Each sub-folder has an inherited set of permissions but it also has individual permissions so I can't just overwrite the all permissions from the root. Nor can I manually go to each folder and delete the permission because it is inherited from the root. I tried icacls *.* /remove "DOMAIN\User" /T and it went through and said it processed all of the files and folders but when I looked in Windows Explorer, nothing had changed. Is there anyway of continuing the original delete process or do I have to add the user back and then remove the user again?
if you have root folder ownership, and if you have already removed user from root folder NTFS permissions, then simply what you can do, just go to root folder advanced security permissions and check their "Replace permissions" option at bottom and click apply
This will remove the user from all sub folders and files if remained.
Note that this will remove those users as well which you have explicitly added on any sub folders but not listed in root folder security ACL
Mahesh
This will remove the user from all sub folders and files if remained.
Note that this will remove those users as well which you have explicitly added on any sub folders but not listed in root folder security ACL
Mahesh
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@MaheshPM: I can't do the replace permissions thing because each sub-folder has some non-inherited permissions. I would have to go back to each sub-folder and re-add these permissions.
@bounsy: I can't retry it because the permission I want to remove no longer exists at the base folder and I can't remove it from the unprocessed sub-folders because it is an inherited permission.
@ram_kerala: I am trying your script now and will post back when I have results.
Thanks to everyone for the quick replies.
@bounsy: I can't retry it because the permission I want to remove no longer exists at the base folder and I can't remove it from the unprocessed sub-folders because it is an inherited permission.
@ram_kerala: I am trying your script now and will post back when I have results.
Thanks to everyone for the quick replies.
ASKER
@ram_kerala: Your script won't work properly in this case. I should have mentioned that this folder tree is the store for our roaming profiles. Each sub-folder under the root is owned by the user who's profile it is (this is also why each folder has different permissions). When I try and run your script, I get a "The security identifier is not allowed to be the owner of this object". It seems the set-acl command will only work if the file is owned by the user running the command.
Did you started powershell with admin privileges ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In the end, I just re-added the permission back and then removed it again. It just seemed easier to do then trying all the command line and scripting stuff. Thanks for all your suggestions though.
Did you execute the command in an administrative command prompt? (I'm fairly certain it will not work unless you do.)
Have you tried executing that command on a specific directory rather than on *.*?