Share via

Remove folder inheritance to a single group

Erik 0 Reputation points
2023-04-25T15:00:11.2433333+00:00

I need to disable inheritance for a specific security group and leave all other groups and users intact. For instance, lets say I have folder C:\TEMP1 with a group named Secure_Grp that has Modify access inherited from the C:.
I need to remove inheritance for this group (Secure_Grp) from C:\TEMP1 folder only and leave all other inheritance objects intact. Once this Secure_Grp inheritance is removed from C:\TEMP1, I then will enable permissions for this same group "Secure__Grp" with "Read & Execute" access. What are my options completing this task in a powershell script?

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,462 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,328 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,121 Reputation points
    2023-04-26T12:14:28.0966667+00:00 
    Hi,

I'd be happy to help you out with your question. Sorry for the inconvenience caused.

First, we'll need to define the folder path and the name of the security group that we want to modify. Once we have those, we can use the PowerShell cmdlets Get-Acl, Set-Acl, and Add-AccessRule to modify the folder's permissions.

Here's the PowerShell script you can use:

# Define the folder path and the security group name
$FolderPath = "C:\TEMP1"
$GroupName = "Secure_Grp"

# Get the current ACL of the folder
$Acl = Get-Acl $FolderPath

# Remove inheritance for the security group
$Acl.SetAccessRuleProtection($true, $false)

# Remove any existing access rules for the security group
$Acl.Access | Where-Object { $_.IdentityReference -eq $GroupName } | 
    ForEach-Object { $Acl.RemoveAccessRule($_) }

# Grant "Read & Execute" access to the security group
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($GroupName, "ReadAndExecute", "Allow")
$Acl.AddAccessRule($AccessRule)

# Set the modified ACL to the folder
Set-Acl $FolderPath $Acl

What this script does is:

1) Get the current Access Control List (ACL) of the folder using the Get-Acl cmdlet.

2) Remove inheritance for the security group using the SetAccessRuleProtection method.

3) Remove any existing access rules for the security group using the RemoveAccessRule method.

4) Grant "Read & Execute" access to the security group by creating a new FileSystemAccessRule object and adding it to the ACL using the AddAccessRule method.

5) Apply the modified ACL to the folder using the Set-Acl cmdlet.

Note that this script assumes that the current ACL of the folder only contains inheritance from the parent folder and no explicit access rules for the security group. If there are any explicit access rules, you may need to modify the script to handle them appropriately.

If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.
 
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
    0 comments