We help IT Professionals succeed at work.
Troubleshooting Question

PowerShell script

Jerry Seinfield
on
63 Views
Last Modified: 2020-10-05
Hi Experts,
I came across with this script which is exactly what I need to resolve other case posted a few days ago.

Can you please help me to integrate following code, and include an input csv file that contains SamAccountNames, and the patch of OneDrive folder. Essentially, i want the script below works for a bunch of users that are located in a input csv file
Script

$objUser = New-Object System.Security.Principal.NTAccount("AD\S-*")
$objAdmin = New-Object System.Security.Principal.NTAccount("BUILTIN\ADMINISTRATORS")
$colRights = [System.Security.AccessControl.FileSystemRights]"CreateFiles, AppendData"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$folder = C:\Users\JohnWayne\OneDrive - Company Inc

#removes all inheritance for the folder
$acl = Get-ACL -Path $folder
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl
#combine the variables into a single filesystem access rule
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objADMIN  = New-Object System.Security.AccessControl.FileSystemAccessRule($objAdmin, $colRights, $InheritanceFlag, $PropagationFlag, $objType)

#get the current ACL from the folder
$objACL = get-acl "$folder"

#remove the access permissions from the ACL variable

$objACL.removeaccessruleall($objACE)
$objACL.removeaccessruleall($objADMIN)

#remove the permissions from the actual folder by re-applying the modified ACL

set-acl "$folder" $objACL

Perhaps with a code like this
$Userlistpath = Import-CSV -Path "C:\Temp\ODMigration\usersandpath.csv"
ForEach ($User in $Userlistpath)
{
$Valuepath = $User.Localpath
$Valueuser = $user.Samaccountname

and then perform all actions of the original script above.

Reference

http://www.vsysad.com/2015/04/powershell-script-to-remove-permissions-inheritance-from-a-folder-then-remove-users-group-access-to-it/
Comment
Watch Question

Jerry SeinfieldSystems Engineer

Author

Commented:
InputFile structure below


Jerry SeinfieldSystems Engineer

Author

Commented:
so, I wrote following script using link above as reference but getting following errors

Code below
$objUser = New-Object System.Security.Principal.NTAccount("AD\S-*")
$objAdmin = New-Object System.Security.Principal.NTAccount("BUILTIN\ADMINISTRATORS")
$colRights = [System.Security.AccessControl.FileSystemRights]"CreateFiles, AppendData"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$folder = Import-CSV -Path "C:\Temp\ODMigrationNew\usersandpath.csv"

ForEach ($User in $folder)
{
$Valuepath = $User.Localpath
$Valueuser = $user.Samaccountname

#removes all inheritance for the folder
$acl = Get-ACL -Path $folder
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl

#combine the variables into a single filesystem access rule
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objADMIN  = New-Object System.Security.AccessControl.FileSystemAccessRule($objAdmin, $colRights, $InheritanceFlag, $PropagationFlag, $objType)


#get the current ACL from the folder

$objACL = get-acl "$folder"


#remove the access permissions from the ACL variable

$objACL.removeaccessruleall($objACE)
$objACL.removeaccessruleall($objADMIN)

#remove the permissions from the actual folder by re-applying the modified ACL

set-acl "$folder" $objACL

}


Error below


CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
Try it like this:
Function Repair-OneDriveAcl {
[CmdletBinding()]
Param(
	[String]$Path,
	[String]$Principal
)
	Try {
		$accountUser = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $Principal
		$accountAdmin = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList 'BUILTIN\Administrators'
		$fileSystemRights = [System.Security.AccessControl.FileSystemRights]'CreateFiles, AppendData'
		$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
		$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
		$accessType = [System.Security.AccessControl.AccessControlType]::Allow

		# removes all inheritance for the folder
		$acl = Get-Acl -Path $Path
		$acl.SetAccessRuleProtection($true, $true)
		Set-Acl -Path $Path -AclObject $acl
		
		# combine the variables into a single filesystem access rule
		$aceUser = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $accountUser, $fileSystemRights, $inheritanceFlag, $propagationFlag, $accessType
		$aceAdmin = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $accountAdmin, $fileSystemRights, $inheritanceFlag, $propagationFlag, $accessType

		# get the current ACL from the folder
		$acl = Get-Acl -Path $Path

		# remove the access permissions from the ACL variable
		$acl.RemoveAccessRuleAll($aceUser)
		$acl.RemoveAccessRuleAll($aceAdmin)

		# remove the permissions from the actual folder by re-applying the modified ACL
		Set-Acl -Path $Path -AclObject $acl
	} Catch {
		$PSCmdlet.WriteError($_)
	}
}

Import-Csv -Path "C:\Temp\ODMigrationNew\usersandpath.csv" | ForEach-Object {
	Write-Host "Processing $($_.SamAccountName)"
	Repair-OneDriveAcl -Path $_.LocalPath -Principal "${env:UserDomain}\$($_.SamAccountName)"
}

Open in new window

Jerry SeinfieldSystems Engineer

Author

Commented:
Thank you so much,

It ran without any issues, however only removes administrators from the OneDrive folder.
Can you please make sure that following groups are also removed from the OD folder same like you did for administrators?

The domain Admins and SG-Global Local Desktop Administrators groups are usually added to all PCs for administration purposes, but in this case since we want to restrict all admin access to user's OneDrive folder, they need to be removed

Can you please send the final code updated? Again, your script works fine, only need to take care of these 2 groups


Jerry SeinfieldSystems Engineer

Author

Commented:
Any updates or thoughts?
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Jerry SeinfieldSystems Engineer

Author

Commented:
thanks

Should I replace UserDomain}\Domain Admins" with my domain name? AD\Domain Admins


CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
Not necessary, assuming you're logged on with a user from the same domain.
Jerry SeinfieldSystems Engineer

Author

Commented:
Hi oBdA,

Thanks for your incredible support and professionalism.

Your script works fine, but I believe I failed to explain the requirements of the script somehow.

What we are trying to accomplish here is to restrict the access to all admin accounts that somehow inherited permissions via GPO for local and domain accounts to the OneDrive folder. In order to achieve that, we would like to convert inherited permissions into explicit permissions on this object(OneDrive folder), and then remove all admin accounts and leave only the owner of the folder that in this case is the user.

When you disable inheritance with the script, we are telling it to add all the permissions that the folder implicitly had directly.
The script is just deleting the local Admin permission and all the others stay there.
$accountsOther = 'BUILTIN\Administrators', "${env:AD}\Domain Admins", "${env:AD}\SG-Global Local Desktop Administrator"
Remember, when you disable inheritance, you are selecting that the permissions you had are explicit. Therefore the above line should not work. is not removing the admin accounts that were inherited and stayed there.

I apologize for the confusion here,

Would it be possible that you can send me the final script based on the comments above? Again, your script works like a champion, is just to add this condition


Jerry SeinfieldSystems Engineer

Author

Commented:
Any updates or thoughts?
Jerry SeinfieldSystems Engineer

Author

Commented:
This is an issue because any admin access who logs into any computer using their support admin account that has the format AD\S-Username their names will be inherited by all folders, so we need to remove any user with the format or account name of S-username from the security of the OneDrive folder.

Any other suggestions to the final script sent today by odBA?

Jerry SeinfieldSystems Engineer

Author

Commented:
Hi Odba,

I guess you are very busy, but could you please take a moment to look at the last 3 questions posted here?

Any chance you can send the code updated based on the last comments?

Thank you in advance
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.