Read on here.
https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions/
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Greetings,
I wan to remove all users except groups from tones of root folders and thousands of subfolders, is there any around to do in ONE go!
Thanks in Advance.
Read on here.
https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions/
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
NTFS permissions are simply a mapping of SID to access masks. Therefore you cannot do this in "1 go". What you'll need to do is fetch the DACLs (permissions) for the folder, look up each SID to determine if it belongs to a group or user and then remove it if it is a user. Some examples of how to convert from SID are available here. This is going to be time consuming. You mentioned thousands of subfolders and that is going to be slow no matter what you do.
Note there are some challenges here. The first challenge is that normally inheritance is turned on. If it is then you cannot remove an inherited permission in a subfolder without first turning off inheritance and either replicating the existing permissions or removing them all. This is supported by the API but it is something you need to consider. To avoid running into issues you should strongly consider working your way from the root directory down each subdirectory level by level and removing users. If you try to go backwards (or worse cache the results and then try to process them later) then you'll run into inheritance issues. Irrelevant you'll run into inheritance issues with the root folder if it inherits users from its parent.
The second challenge is that constantly looking up a SID to determine if it is a group or user is going to be expensive. So you'll want to ideally cache the results into a hashtable or something. If you don't have the SID in the cache yet then determine if it is a user or group. Then store the SID with an indicator either way so you can quickly get the results the next time around.
Personally, unless you need different permissions for all the subfolders, then I would recommend you simply reset the root folder and all its children to use the root folders permissions. Resetting them will take a while as Windows has to follow the earlier inheritance process. But if you remove the users from the root folder first then all the subfolders will automatically only have groups. This is probably quicker to do just in the UI rather than Powershell if you only need to do it on one machine.