20,222 questions
Read on here.
https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions/
--please don't forget to upvote and Accept as answer if the reply is helpful--
remove all users except groups from NTFS permission.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 62%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Basil Shaikh
1
Reputation point
Greetings,
I wan to remove all users except groups from tones of root folders and thousands of subfolders, is there any around to do in ONE go!
Thanks in Advance.
Windows for business | Windows Server | User experience | Other
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2022-10-26T14:02:32.687+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Michael Taylor 60,331 Reputation points2022-10-26T14:39:41.703+00:00 NTFS permissions are simply a mapping of SID to access masks. Therefore you cannot do this in "1 go". What you'll need to do is fetch the DACLs (permissions) for the folder, look up each SID to determine if it belongs to a group or user and then remove it if it is a user. Some examples of how to convert from SID are available here. This is going to be time consuming. You mentioned thousands of subfolders and that is going to be slow no matter what you do.
Note there are some challenges here. The first challenge is that normally inheritance is turned on. If it is then you cannot remove an inherited permission in a subfolder without first turning off inheritance and either replicating the existing permissions or removing them all. This is supported by the API but it is something you need to consider. To avoid running into issues you should strongly consider working your way from the root directory down each subdirectory level by level and removing users. If you try to go backwards (or worse cache the results and then try to process them later) then you'll run into inheritance issues. Irrelevant you'll run into inheritance issues with the root folder if it inherits users from its parent.
The second challenge is that constantly looking up a SID to determine if it is a group or user is going to be expensive. So you'll want to ideally cache the results into a hashtable or something. If you don't have the SID in the cache yet then determine if it is a user or group. Then store the SID with an indicator either way so you can quickly get the results the next time around.
Personally, unless you need different permissions for all the subfolders, then I would recommend you simply reset the root folder and all its children to use the root folders permissions. Resetting them will take a while as Windows has to follow the earlier inheritance process. But if you remove the users from the root folder first then all the subfolders will automatically only have groups. This is probably quicker to do just in the UI rather than Powershell if you only need to do it on one machine.