3.8 Removing User Permissions

Removing User Permissions

To remove user permissions from a folder, you can use the RemoveAccessRule method. For instance, if we want to remove the “Allow FullControl” permission for the user T.Simpson on the “Sales” folder, follow these steps:

# Get the current ACL (Access Control List) for the folder
$acl = Get-Acl \\fs1\shared\sales

# Create the access rule for the user and permission you want to remove
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\T.Simpson", "FullControl", "Allow")

# Remove the specific access rule from the ACL
$acl.RemoveAccessRule($AccessRule)

# Apply the modified ACL back to the folder
$acl | Set-Acl \\fs1\shared\sales

Wiping All Permissions for a User

If you want to completely wipe a user’s permissions from a folder (not just remove specific ones), you can use the PurgeAccessRules method. This command will remove all explicit permissions for T.Simpson on the “Sales” folder:

# Get the current ACL for the folder
$acl = Get-Acl \\fs1\shared\sales

# Convert the user account name into a SID (Security Identifier)
$usersid = New-Object System.Security.Principal.Ntaccount("ENTERPRISE\T.Simpson")

# Purge all explicit access rules for the user
$acl.PurgeAccessRules($usersid)

# Apply the updated ACL back to the folder
$acl | Set-Acl \\fs1\shared\sales

Important Notes

• RemoveAccessRule removes only the specific permissions you define, so you can target particular access rights (e.g., “FullControl”).
• PurgeAccessRules completely removes all explicit permissions associated with a user, but it does not affect inherited permissions.
• PurgeAccessRules requires a SID (Security Identifier) rather than a username string, which is why we used the Ntaccount class to convert the user account into a SID.