Solved

Remove Inherited Permission After Previous Attempt Canceled

Posted on 2013-12-10
8
398 Views
Last Modified: 2013-12-12
I was attempting to remove a user permission from a large folder tree on a Windows Server 2008 R2 machine but I accidentally canceled the operation part way through.  This left the root and some sub-folders without the permission and other sub-folders with the permission.  Each sub-folder has an inherited set of permissions but it also has individual permissions so I can't just overwrite the all permissions from the root.  Nor can I manually go to each folder and delete the permission because it is inherited from the root.  I tried icacls *.* /remove "DOMAIN\User" /T and it went through and said it processed all of the files and folders but when I looked in Windows Explorer, nothing had changed.  Is there anyway of continuing the original delete process or do I have to add the user back and then remove the user again?
0
Comment
Question by:CIPortAuthority
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Expert Comment

by:Carl Bohman
ID: 39708483
There's no way to continue where you left off.  All you can do is perform the action again.

Did you execute the command in an administrative command prompt?  (I'm fairly certain it will not work unless you do.)

Have you tried executing that command on a specific directory rather than on *.*?
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39708563
if you have root folder ownership, and if you have already removed user from root folder NTFS permissions, then simply what you can do, just go to root folder advanced security permissions and check their "Replace permissions" option at bottom and click apply

This will remove the user from all sub folders and files if remained.

Note that this will remove those users as well which you have explicitly added on any sub folders but not listed in root folder security ACL

Mahesh
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 250 total points
ID: 39708708
You can use below mentioned powershell script to remove "Domain\user" from all subfolders.

This script is tested. Make sure executing powershell script is allowed in Windows 2008.





$user = 'domain\user' 
$folders = "F:\FOLDER" 
$acls = Get-Acl -path $folders 
$outputObject = @() 

Foreach($acl in $acls) 
{ 
 $folder = (convert-path $acl.pspath) 
  
  Foreach($access in $acl.access) 
  { 
    Foreach($value in $access.identityReference.Value) 
     { 
       if ($value -eq $user) 
          { 
           $acl.RemoveAccessRule($access) | Out-Null 
          } 
     } #end foreach value 
  } # end foreach access 
 Set-Acl -path $folder -aclObject $acl 
$i++ 
} 

Open in new window

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:CIPortAuthority
ID: 39709793
@MaheshPM: I can't do the replace permissions thing because each sub-folder has some non-inherited permissions.  I would have to go back to each sub-folder and re-add these permissions.
@bounsy: I can't retry it because the permission I want to remove no longer exists at the base folder and I can't remove it from the unprocessed sub-folders because it is an inherited permission.
@ram_kerala: I am trying your script now and will post back when I have results.

Thanks to everyone for the quick replies.
0
 

Author Comment

by:CIPortAuthority
ID: 39709833
@ram_kerala:  Your script won't work properly in this case.  I should have mentioned that this folder tree is the store for our roaming profiles.  Each sub-folder under the root is owned by the user who's profile it is (this is also why each folder has different permissions).  When I try and run your script, I get a "The security identifier is not allowed to be the owner of this object".  It seems the set-acl command will only work if the file is owned by the user running the command.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39709840
Did you started powershell with admin privileges ?
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39710555
Like I said in my 1st comment, you must take ownership of root folder.
You can try subinacl tool to get ownership 1st
Logon to server as domain admins or account having built-in administrators group membership

Syntax:
subinacl /noverbose /subdirectories "D:\Sharefolderroot\*" /setowner=domain\user

OR

subinacl /noverbose /subdirectories "D:\Sharefolderroot\" /setowner=domain\user

Then you can try with either manual method I suggested or script provided by Ram
Subinacl can be downloaded from below link
http://www.microsoft.com/en-in/download/details.aspx?id=23510

Mahesh
0
 

Author Comment

by:CIPortAuthority
ID: 39713880
In the end, I just re-added the permission back and then removed it again.  It just seemed easier to do then trying all the command line and scripting stuff.  Thanks for all your suggestions though.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question