Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Remove Inherited Permission After Previous Attempt Canceled

Posted on 2013-12-10
8
Medium Priority
?
406 Views
Last Modified: 2013-12-12
I was attempting to remove a user permission from a large folder tree on a Windows Server 2008 R2 machine but I accidentally canceled the operation part way through.  This left the root and some sub-folders without the permission and other sub-folders with the permission.  Each sub-folder has an inherited set of permissions but it also has individual permissions so I can't just overwrite the all permissions from the root.  Nor can I manually go to each folder and delete the permission because it is inherited from the root.  I tried icacls *.* /remove "DOMAIN\User" /T and it went through and said it processed all of the files and folders but when I looked in Windows Explorer, nothing had changed.  Is there anyway of continuing the original delete process or do I have to add the user back and then remove the user again?
0
Comment
Question by:CIPortAuthority
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 13

Expert Comment

by:Carl Bohman
ID: 39708483
There's no way to continue where you left off.  All you can do is perform the action again.

Did you execute the command in an administrative command prompt?  (I'm fairly certain it will not work unless you do.)

Have you tried executing that command on a specific directory rather than on *.*?
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39708563
if you have root folder ownership, and if you have already removed user from root folder NTFS permissions, then simply what you can do, just go to root folder advanced security permissions and check their "Replace permissions" option at bottom and click apply

This will remove the user from all sub folders and files if remained.

Note that this will remove those users as well which you have explicitly added on any sub folders but not listed in root folder security ACL

Mahesh
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 1000 total points
ID: 39708708
You can use below mentioned powershell script to remove "Domain\user" from all subfolders.

This script is tested. Make sure executing powershell script is allowed in Windows 2008.





$user = 'domain\user' 
$folders = "F:\FOLDER" 
$acls = Get-Acl -path $folders 
$outputObject = @() 

Foreach($acl in $acls) 
{ 
 $folder = (convert-path $acl.pspath) 
  
  Foreach($access in $acl.access) 
  { 
    Foreach($value in $access.identityReference.Value) 
     { 
       if ($value -eq $user) 
          { 
           $acl.RemoveAccessRule($access) | Out-Null 
          } 
     } #end foreach value 
  } # end foreach access 
 Set-Acl -path $folder -aclObject $acl 
$i++ 
} 

Open in new window

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:CIPortAuthority
ID: 39709793
@MaheshPM: I can't do the replace permissions thing because each sub-folder has some non-inherited permissions.  I would have to go back to each sub-folder and re-add these permissions.
@bounsy: I can't retry it because the permission I want to remove no longer exists at the base folder and I can't remove it from the unprocessed sub-folders because it is an inherited permission.
@ram_kerala: I am trying your script now and will post back when I have results.

Thanks to everyone for the quick replies.
0
 

Author Comment

by:CIPortAuthority
ID: 39709833
@ram_kerala:  Your script won't work properly in this case.  I should have mentioned that this folder tree is the store for our roaming profiles.  Each sub-folder under the root is owned by the user who's profile it is (this is also why each folder has different permissions).  When I try and run your script, I get a "The security identifier is not allowed to be the owner of this object".  It seems the set-acl command will only work if the file is owned by the user running the command.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39709840
Did you started powershell with admin privileges ?
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1000 total points
ID: 39710555
Like I said in my 1st comment, you must take ownership of root folder.
You can try subinacl tool to get ownership 1st
Logon to server as domain admins or account having built-in administrators group membership

Syntax:
subinacl /noverbose /subdirectories "D:\Sharefolderroot\*" /setowner=domain\user

OR

subinacl /noverbose /subdirectories "D:\Sharefolderroot\" /setowner=domain\user

Then you can try with either manual method I suggested or script provided by Ram
Subinacl can be downloaded from below link
http://www.microsoft.com/en-in/download/details.aspx?id=23510

Mahesh
0
 

Author Comment

by:CIPortAuthority
ID: 39713880
In the end, I just re-added the permission back and then removed it again.  It just seemed easier to do then trying all the command line and scripting stuff.  Thanks for all your suggestions though.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question