mcanany
asked on
Remove NTFS User from Files and Folders
In a nutshell I'm trying to utilize PowerShell to remove an NTFS group from a directory, its sub-folders and files.
I've been trying utilize the directions given here: Link
Here is what I have been entering into PowerShell.
As you can see i'm trying to remove MVPFILES01\Users from NTFS Permission ACL. It wasnt clear whether or not this command will remove them from the ACL or remove all permissions. Either way, the result is what I'm after.
The error I'm getting back is:
. : The term 'Get-NTFSPermissions' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:43
+ Get-ChildItem -Path C:\02501 -Recurse |. Get-NTFSPermissions -Account MVPFILES0 ...
+
+ CategoryInfo : ObjectNotFound: (Get-NTFSPermissions:Strin g) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
I've been trying utilize the directions given here: Link
Here is what I have been entering into PowerShell.
Get-ChildItem -Path C:\02501 -Recurse | Get-NTFSAccess -Account MVPFILES01\Users -ExcludeInherited | Remove-NTFSAccess
As you can see i'm trying to remove MVPFILES01\Users from NTFS Permission ACL. It wasnt clear whether or not this command will remove them from the ACL or remove all permissions. Either way, the result is what I'm after.
The error I'm getting back is:
. : The term 'Get-NTFSPermissions' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:43
+ Get-ChildItem -Path C:\02501 -Recurse |. Get-NTFSPermissions -Account MVPFILES0 ...
+
+ CategoryInfo : ObjectNotFound: (Get-NTFSPermissions:Strin
+ FullyQualifiedErrorId : CommandNotFoundException
Your error does not match up with what command you say you've been using. The error shows you've been using "Get-NTFSPermissions" while it looks like the command should be "Get-NTFSAccess".
Someone else had a similar problem, but with adding permissions. Check out the response Here
ASKER
Footech. Thanks for pointing that out. That was a copy paste issue on my part because I was trying different things to make it work. I've updated the code.
Wcombee. I'll take a look at that thread.
Wcombee. I'll take a look at that thread.
ASKER
Wcombee I've seen that thread before asking this question. I was hoping it wasn't the same one but unfortunately I've tried putting the dot operator at the front of my script and it throws the same error.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wow... I cant believe I was overlooking adding the module files to server where I'm running the powershell commands. I believe that worked, however, it is bringing me to a new problem.
MVPFILES01\Users is obviously a local group not a local user account.
In the example I'm using the Parameter -Account and it doesn't like this. Is there an alternative parameter to identify it as a group instead of an individual account?
New Error:
Get-NTFSAccess : Cannot bind parameter 'Account'. Cannot convert value "MVPFILES01\Users" to type
"Security2.IdentityReferen ce2". Error: "Some or all identity references could not be translated."
At line:1 char:65
+ Get-ChildItem -Path C:\02501 -Recurse | Get-NTFSAccess -Account MVPFILES01\Users ...
+
+ CategoryInfo : InvalidArgument: (:) [Get-NTFSAccess], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMes sage,NTFSS ecurity.Ge tAccess
MVPFILES01\Users is obviously a local group not a local user account.
In the example I'm using the Parameter -Account and it doesn't like this. Is there an alternative parameter to identify it as a group instead of an individual account?
New Error:
Get-NTFSAccess : Cannot bind parameter 'Account'. Cannot convert value "MVPFILES01\Users" to type
"Security2.IdentityReferen
At line:1 char:65
+ Get-ChildItem -Path C:\02501 -Recurse | Get-NTFSAccess -Account MVPFILES01\Users ...
+
+ CategoryInfo : InvalidArgument: (:) [Get-NTFSAccess], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMes
I missed that you were trying to do it for a users group, not a single account. You may have to actually disable inheritance, This blog gives a lot of useful stuff about this, including removing inheritance.
ASKER
The files and folders I'm trying to impact already have inheritance disabled. So we should be fine in that regard. I understand you can't pull off an account from the ACL if it is inherited from a folder above it.
because of this, I knew we could go ahead and ignore items that have inherited permissions so I used this switch;
-ExcludeInherited
because of this, I knew we could go ahead and ignore items that have inherited permissions so I used this switch;
-ExcludeInherited
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It shouldn't matter whether it's a group or individual account, they're all just identities. I have run a command like "Get-NTFSAccess -Account "BUILTIN\Administrators" and it works as expected.
ASKER
Wcombee - Doing it with the SID instead of the group name worked.
Footech - thanks for helping me realize I hadn't installed the module.
Footech - thanks for helping me realize I hadn't installed the module.
ASKER
Just to recap. If someone else comes across this. Make sure you have the module files loaded for PowerShell and either use the SID or the Builtin\**** convention.
Thanks guys.
Thanks guys.