Powershell script to rip out all permissions from parent folder down

Andrew N. Kowtalo
Andrew N. Kowtalo used Ask the Experts™
on
Can anyone provide me a link and or a power shell script for Windows Server 2008 that will strip every folders permission away from the top parent?  Currently one of our clients has file permissions so messed up with embedded admin privileges i groups that are located in sub groups of groups that no matter what we try we are not able to adjust permissions properly.   I was thinking of just ripping the entire permissions out and then starting over and handing them down again properly.    Inherited permissions have been removed from the sub folders under the parent but access is so messed up that I am unable to fix this correctly.   Some how the domain administrator login is linking itself to the folders which it normally should, however it is allowing regular domain users the ability to view the folders contents even though they have no permission to the folder.  Whether or not we set the owner of that particular folder with the right permissions it does not matter.  So I am trying to come up with a fast efficient way to fix this since the previous company that managed this client just made up admin groups and gave admin access to groups within groups making it almost impossible to try and pinpoint where the problem is.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
NVITEnd-user support

Commented:
This will reset perms to inherit from parent.
You should try it on one folder first:
icacls d:\parentfolder\folder1* /reset /t /c /l /q

Open in new window


Then, you can apply new perms.

Example. Give Domain Users Read and Execute:

icacls d:\parentfolder\folder1* "Domain Users":(OI)(CI)RX /t

Open in new window


Example. Give Domain Users Modify right:

icacls d:\parentfolder\folder1* "Domain Users":(OI)(CI)M /t

Open in new window

Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Hi NVIT I think I would need to do this after hours.   I can make a folder and test it out.   We are in such a dire situation with this company because of terrible mismanagement from the previous company that we are trying to do the impossible.
NVITEnd-user support

Commented:
Yes. It's safer that way. If you can't wait, you could look for a folder that is hardly accessed by users and try it. This will build your confidence that it works

Here's a useful page w/ more info: https://ss64.com/nt/icacls.html
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Will this work for server 2008?
NVITEnd-user support

Commented:
Yes. I've used it in Windows 7, 10 and 2008 R2 successfully.
NVITEnd-user support

Commented:
For your sanity, test it on a smaller folder tree.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Are you suggesting I create a parent with 3-4 sub folders set the permissions and then run it?
End-user support
Commented:
If this will duplicate the issue, that should work.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Fantastic on the spot help I hope I can get my problem resolved.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Thanks again.   I will let you know how it goes.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial