Share via

Deny Folder delete on This folder only (Powershell - icacls)

Nigel Rothwell 1 Reputation point
2020-10-30T14:07:25.153+00:00

Hi, with the below, when I try to access the subfolders, it will not allow me unless I run to replace all child object permission entries with inheritable permission entries from this object on each folder

what I am doing wrong, please help

what I would like to do is:

Trying to update and add permission to 1000 folders so the users cant more or delete them, and can have modified & access within the subfolders The top folder Test will have ready only access, subfolders (New Folders ) will have, modify this folder, subfolder and files on a Security group & Deny Delete on this folder only

36366-permisisons.png

$Domain="___domain"

$Group="Data Drive Access"

$UD = $Domain +"\"+ $Group

$Domain2="___domain"

$Group2="Data Drive Access (Deny Delete-Move)"

$UD2 = $Domain2 +"\"+ $Group2

Domain Use format ___domain\username or ___domain\group

Take Ownership

takeown /f $StartingDir /r

$StartingDir="D:\Shares\Data\Test*"

Location of Directory

icacls $StartingDir /q /c /t /reset

icacls $StartingDir /grant:r "$($UD):(OI)(CI)M"

icacls $StartingDir /deny "$($UD2):(D)" /t

icacls $StartingDir /q /c /t

I have also ported this on spiceworks, as I tried using $acl.SetAccessRule($rule) and $acl.AddAccessRule($ruleAdd), ran into another problem.

o why won't this work

https://community.spiceworks.com/topic/2293590-deny-this-folder-only-seems-to-inherit-into-subfolders-and-files

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
4,101 questions
Windows Server Storage
Windows Server Storage
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Storage: The hardware and software system used to retain data for subsequent retrieval.
669 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,628 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
1,044 questions
0 comments

4 answers

Sort by: Newest
Most helpful Newest Oldest
  1. MotoX80 36,186 Reputation points
    2020-11-02T21:45:17.147+00:00

    The Administrators group entry should show as being inherited from the Test folder. 

     cls  
 $StartingDir = 'c:\temp\PermTest'   
 $usrs = 'NT AUTHORITY\Authenticated Users'  
   
 remove-item $StartingDir -Recurse  
 md "$StartingDir\New Folder1" | Out-Null  
 md "$StartingDir\New Folder2" | Out-Null  
  
 md "$StartingDir\New Folder1\userdata" | Out-Null  
 md "$StartingDir\New Folder2\userdata" | Out-Null  
      
 icacls.exe $StartingDir  /reset /t  
 icacls.exe $StartingDir   /grant "$($usrs):(CI)(RX)" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /inheritance:r   
   
   
 Get-ChildItem -Path $StartingDir | foreach {  
    "Processing {0}" -f $_.fullname  
    icacls.exe $_.fullname   /grant "$($usrs):(OI)(CI)(M)"  
   
 }  
 ""  
 "icacls.exe $StartingDir"  
 icacls.exe $StartingDir    
 ""  
 "icacls.exe ""$StartingDir\New Folder1"""  
 icacls.exe "$StartingDir\New Folder1"

    -------------------------------------------------------- 

    remove-item : Cannot find path 'C:\temp\PermTest' because it does not exist.  
At line:5 char:2  
+  remove-item $StartingDir -Recurse  
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    + CategoryInfo          : ObjectNotFound: (C:\temp\PermTest:String) [Remove-Item], ItemNotFoundException  
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand  
   
processed file: c:\temp\PermTest  
processed file: c:\temp\PermTest\New Folder1  
processed file: c:\temp\PermTest\New Folder2  
processed file: c:\temp\PermTest\New Folder1\userdata  
processed file: c:\temp\PermTest\New Folder2\userdata  
Successfully processed 5 files; Failed processing 0 files  
processed file: c:\temp\PermTest  
Successfully processed 1 files; Failed processing 0 files  
Processing C:\temp\PermTest\New Folder1  
processed file: C:\temp\PermTest\New Folder1  
Successfully processed 1 files; Failed processing 0 files  
Processing C:\temp\PermTest\New Folder2  
processed file: C:\temp\PermTest\New Folder2  
Successfully processed 1 files; Failed processing 0 files  
  
icacls.exe c:\temp\PermTest  
c:\temp\PermTest NT AUTHORITY\Authenticated Users:(CI)(RX)  
                 BUILTIN\Administrators:(OI)(CI)(F)  
  
Successfully processed 1 files; Failed processing 0 files  
  
icacls.exe "c:\temp\PermTest\New Folder1"  
c:\temp\PermTest\New Folder1 NT AUTHORITY\Authenticated Users:(OI)(CI)(M)  
                             NT AUTHORITY\Authenticated Users:(I)(CI)(RX)  
                             BUILTIN\Administrators:(I)(OI)(CI)(F)  
  
Successfully processed 1 files; Failed processing 0 files  
  
PS C:\Temp>

    In the above output, note the 2 ACLs on the PermTest folder and the 3 ACLs on the New Folder1.

    36972-capture.jpg

    If you create a New Folder3 after you run the script, you will be missing the Modify ACL but you will still get the inherited ACLs.

    36936-capture1.jpg

    Effective access should look like this.

    36750-capture3.jpg

    0 comments
  2. MotoX80 36,186 Reputation points
    2020-11-02T17:05:40.757+00:00

    Ok, how about this?

    $StartingDir = 'c:\temp\PermTest' 
 $usrs = 'NT AUTHORITY\Authenticated Users'

 icacls.exe $StartingDir  /reset /t
 icacls.exe $StartingDir   /grant "$($usrs):(CI)(RX)" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /inheritance:r 


 Get-ChildItem -Path $StartingDir | foreach {
    icacls.exe $_.fullname   /grant "$($usrs):(OI)(CI)(M)"

 }
  3. Nigel Rothwell 1 Reputation point
    2020-11-01T22:03:42.493+00:00

    Hi @MotoX80

    thanks for the response. I tried your script, but it still does not do what I want.
    what I am trying to achieve, is example

    Main folder DATA. read access to this folder. Then the subfolders, will
    Folder 1
    Folder 2
    Folder 3
    Folder 4
    Folder 5, so on,

    Users can access the folders only, and within the folders, they have, Modify access;

    So when a user accesses the Data folder they cant delete, move, add, or change the folders. Only the users will fill rights can...

    what, you have does not allow the user to delete the folders in the subfolders when you create them, it created multiple folders at once.

    cheers

    0 comments
  4. MotoX80 36,186 Reputation points
    2020-10-31T03:19:36.813+00:00

    I don't like using deny ACL's. I've always thought it best to use grant's. Try this and see if it works for you.

    Replace authenticated users with your ___domain group if that works better for you. 

    $StartingDir = 'c:\temp\PermTest' 
$usrs = 'NT AUTHORITY\Authenticated Users'

# If the permissions are all messed up, uncomment this takeown command 
#takeown.exe /d Y /a /r /f $StartingDir 

icacls.exe $StartingDir  /reset /t
icacls.exe $StartingDir  /grant "$($usrs):(OI)(IO)(F)" /grant "$($usrs):(CI)(RX,WD,AD)" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /inheritance:r 
icacls.exe $StartingDir  /verify /t
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.