header
header Register : : Login header
header
divider
menuleft
menuright
submenu
left

[August 25th, 2008] Check the home page regarding PowerShell related news from a brand new sponsor: Idera
Unanswered Active Topics Forums Search Members
Forums > Using PowerShell > Working with .NET
Removing NTFS file permissions
Last Post 26 Dec 2007 04:31 PM by troymeyer. 4 Replies.
Printer Friendly
Sort:
PrevPrev
You are not authorized to post a reply.
Author Messages
troymeyerUser is Offline
New Member
New Member
Posts:13

--
19 Dec 2007 05:22 PM  
First post in this bucket!!

Ok so I currently apply NTFS permissions with PoSH using this method totally stolen off a blog:

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$acl = Get-Acl $directory
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule($ADuser, "Modify", $inherit, $propagation, "Allow")
$acl.AddAccessRule($accessrule)
set-acl -aclobject $acl $directory

But how can I remove permissions?  I see that when i get-acl object on a file on pass it to get-member I have a method called RemoveAuditRule() but for the life of me I cant get it to work correctly.

I surfed the .Net dictionaries on MS and it looks like it wants me to pass an accessrule, but how do i get an existing accessrule to pass?

I am obviously a .net noob and could take any advice or options you guys would throw my way. 

Thanks  
marco.shawUser is Offline
Co-Community Director
Basic Member
Basic Member
Posts:181

--
20 Dec 2007 06:36 PM  
If you do 'get-acl . | get-member', you'll see there's these 3 methods:

RemoveAccessRule Method
RemoveAccessRuleAll Method
RemoveAccessRuleSpecific Method

So you might only have to change this line:
$acl.AddAccessRule($accessrule)

To something like:
$acl.RemoveAccessRule($accessrule)

(Sorry, I can't test it right now.)
troymeyerUser is Offline
New Member
New Member
Posts:13

--
21 Dec 2007 04:19 PM  
Marco,

I saw those methods, but I am unsure how to get $acl.RemoveAccessRule($accessrule) to work.
Reason is, how can I send $accessrule when it is an existing permissions rule (not one I am creating), in other words how can I get a specific existing access rule and assign it to a variable in PoSH ?

-troy
marco.shawUser is Offline
Co-Community Director
Basic Member
Basic Member
Posts:181

--
21 Dec 2007 08:10 PM  
Try something like this:

#Backup ACL in case:
$acl0=get-acl c:\temp
#I added a test user from the GUI
$acl=get-acl c:\temp
#View the new ACLs
$acl|format-list
#Notice this entry:
#xxxxxx\test Allow ReadAndExecute, Synchronize
#Create my access rule object
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("xxxxx\test","ReadAndExecute"
,,,"Allow")
#Apply it.
#RemoveAccessRule() didn't work in this case. I didn't check to docs for usage examples.
$acl.RemoveAccessRuleAll($accessrule)
#Recheck
#test user ACL is gone.
$acl
#Apply the new ACL
set-acl -aclobject $acl c:\temp
#Done
troymeyerUser is Offline
New Member
New Member
Posts:13

--
26 Dec 2007 04:31 PM  
Marco!

Works great, thanks for the help!

I guess I though that creating the access rule would create a new one, but it just yanks the existing.

Boy .Net access is awesome for folks like me that came from a CMD scripting backround rather than from VB/ASP/C# programming. Something new every day :)
You are not authorized to post a reply.
Forums > Using PowerShell > Working with .NET
Active Forums 4.1
right
   
footer Sponsored by Quest Software • SAPIEN Technologies • ShellTools, LLC • Microsoft Windows Server 2008 footer
footer