Remove NTFS User from Files and Folders

In a nutshell I'm trying to utilize PowerShell to remove an NTFS group from a directory, its sub-folders and files.

I've been trying utilize the directions given here: Link

Here is what I have been entering into PowerShell.

Get-ChildItem -Path C:\02501 -Recurse | Get-NTFSAccess -Account MVPFILES01\Users -ExcludeInherited | Remove-NTFSAccess

Open in new window

As you can see i'm trying to remove MVPFILES01\Users from NTFS Permission ACL. It wasnt clear whether or not this command will remove them from the ACL or remove all permissions. Either way, the result is what I'm after.

The error I'm getting back is:
. : The term 'Get-NTFSPermissions' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:43
+ Get-ChildItem -Path C:\02501 -Recurse |.  Get-NTFSPermissions -Account MVPFILES0 ...
    + CategoryInfo          : ObjectNotFound: (Get-NTFSPermissions:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Your error does not match up with what command you say you've been using.  The error shows you've been using "Get-NTFSPermissions" while it looks like the command should be "Get-NTFSAccess".
Someone else had a similar problem, but with adding permissions.  Check out the response Here
mcananyAuthor Commented:
Footech. Thanks for pointing that out. That was a copy paste issue on my part because I was trying different things to make it work. I've updated the code.

Wcombee. I'll take a look at that thread.
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

mcananyAuthor Commented:
Wcombee I've seen that thread before asking this question. I was hoping it wasn't the same one but unfortunately I've tried putting the dot operator at the front of my script and it throws the same error.
Not sure where we stand now.  You've updated the code and are still getting an error?

If so, have you followed the instructions for installing the module (basically just placing the extracted contents in the right folder), and then loaded the module (Import-Module NTFSSecurity)?
mcananyAuthor Commented:
Wow... I cant believe I was overlooking adding the module files to server where I'm running the powershell commands. I believe that worked, however, it is bringing me to a new problem.

MVPFILES01\Users is obviously a local group not a local user account.

In the example I'm using the Parameter -Account and it doesn't like this. Is there an alternative parameter to identify it as a group instead of an individual account?

New Error:
Get-NTFSAccess : Cannot bind parameter 'Account'. Cannot convert value "MVPFILES01\Users" to type
"Security2.IdentityReference2". Error: "Some or all identity references could not be translated."
At line:1 char:65
+ Get-ChildItem -Path C:\02501 -Recurse | Get-NTFSAccess -Account MVPFILES01\Users ...
    + CategoryInfo          : InvalidArgument: (:) [Get-NTFSAccess], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,NTFSSecurity.GetAccess
I missed that you were trying to do it for a users group, not a single account.  You may have to actually disable inheritance, This blog gives a lot of useful stuff about this, including removing inheritance.
mcananyAuthor Commented:
The files and folders I'm trying to impact already have inheritance disabled. So we should be fine in that regard. I understand you can't pull off an account from the ACL if it is inherited from a folder above it.

because of this, I knew we could go ahead and ignore items that have inherited permissions so I used this switch;
You may need to look up the SID for the users group, and do it by SID instead of by name, that, as far as I know, other than inheritances, is the only way to remove groups by the powershell command

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It shouldn't matter whether it's a group or individual account, they're all just identities.  I have run a command like "Get-NTFSAccess -Account "BUILTIN\Administrators" and it works as expected.
mcananyAuthor Commented:
Wcombee - Doing it with the SID instead of the group name worked.

Footech - thanks for helping me realize I hadn't installed the module.
mcananyAuthor Commented:
Just to recap. If someone else comes across this. Make sure you have the module files loaded for PowerShell and either use the SID or the Builtin\**** convention.

Thanks guys.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.