Deny Folder delete on This folder only (Powershell - icacls)

Nigel Rothwell 1 Reputation point
2020-10-30T14:07:25.153+00:00

Hi, with the below, when I try to access the subfolders, it will not allow me unless I run to replace all child object permission entries with inheritable permission entries from this object on each folder

what I am doing wrong, please help

what I would like to do is:

Trying to update and add permission to 1000 folders so the users cant more or delete them, and can have modified & access within the subfolders The top folder Test will have ready only access, subfolders (New Folders ) will have, modify this folder, subfolder and files on a Security group & Deny Delete on this folder only

36366-permisisons.png

$Domain="domain"

$Group="Data Drive Access"

$UD = $Domain +"\"+ $Group

$Domain2="domain"

$Group2="Data Drive Access (Deny Delete-Move)"

$UD2 = $Domain2 +"\"+ $Group2

Domain Use format domain\username or domain\group

Take Ownership

takeown /f $StartingDir /r

$StartingDir="D:\Shares\Data\Test*"

Location of Directory

icacls $StartingDir /q /c /t /reset

icacls $StartingDir /grant:r "$($UD):(OI)(CI)M"

icacls $StartingDir /deny "$($UD2):(D)" /t

icacls $StartingDir /q /c /t

I have also ported this on spiceworks, as I tried using $acl.SetAccessRule($rule) and $acl.AddAccessRule($ruleAdd), ran into another problem.

o why won't this work

https://community.spiceworks.com/topic/2293590-deny-this-folder-only-seems-to-inherit-into-subfolders-and-files

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,689 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,894 questions
Windows Server Storage
Windows Server Storage
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Storage: The hardware and software system used to retain data for subsequent retrieval.
649 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,504 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. MotoX80 33,296 Reputation points
    2020-10-31T03:19:36.813+00:00

    I don't like using deny ACL's. I've always thought it best to use grant's. Try this and see if it works for you.

    Replace authenticated users with your domain group if that works better for you.

    $StartingDir = 'c:\temp\PermTest' 
    $usrs = 'NT AUTHORITY\Authenticated Users'
    
    # If the permissions are all messed up, uncomment this takeown command 
    #takeown.exe /d Y /a /r /f $StartingDir 
    
    icacls.exe $StartingDir  /reset /t
    icacls.exe $StartingDir  /grant "$($usrs):(OI)(IO)(F)" /grant "$($usrs):(CI)(RX,WD,AD)" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /inheritance:r 
    icacls.exe $StartingDir  /verify /t
     
    
    0 comments No comments

  2. Nigel Rothwell 1 Reputation point
    2020-11-01T22:03:42.493+00:00

    Hi @MotoX80

    thanks for the response. I tried your script, but it still does not do what I want.
    what I am trying to achieve, is example

    Main folder DATA. read access to this folder. Then the subfolders, will
    Folder 1
    Folder 2
    Folder 3
    Folder 4
    Folder 5, so on,

    Users can access the folders only, and within the folders, they have, Modify access;

    So when a user accesses the Data folder they cant delete, move, add, or change the folders. Only the users will fill rights can...

    what, you have does not allow the user to delete the folders in the subfolders when you create them, it created multiple folders at once.

    cheers

    0 comments No comments

  3. MotoX80 33,296 Reputation points
    2020-11-02T17:05:40.757+00:00

    Ok, how about this?

    $StartingDir = 'c:\temp\PermTest' 
     $usrs = 'NT AUTHORITY\Authenticated Users'
    
     icacls.exe $StartingDir  /reset /t
     icacls.exe $StartingDir   /grant "$($usrs):(CI)(RX)" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /inheritance:r 
    
    
     Get-ChildItem -Path $StartingDir | foreach {
        icacls.exe $_.fullname   /grant "$($usrs):(OI)(CI)(M)"
    
     }
    

  4. MotoX80 33,296 Reputation points
    2020-11-02T21:45:17.147+00:00

    The Administrators group entry should show as being inherited from the Test folder.

     cls  
     $StartingDir = 'c:\temp\PermTest'   
     $usrs = 'NT AUTHORITY\Authenticated Users'  
       
     remove-item $StartingDir -Recurse  
     md "$StartingDir\New Folder1" | Out-Null  
     md "$StartingDir\New Folder2" | Out-Null  
      
     md "$StartingDir\New Folder1\userdata" | Out-Null  
     md "$StartingDir\New Folder2\userdata" | Out-Null  
          
     icacls.exe $StartingDir  /reset /t  
     icacls.exe $StartingDir   /grant "$($usrs):(CI)(RX)" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /inheritance:r   
       
       
     Get-ChildItem -Path $StartingDir | foreach {  
        "Processing {0}" -f $_.fullname  
        icacls.exe $_.fullname   /grant "$($usrs):(OI)(CI)(M)"  
       
     }  
     ""  
     "icacls.exe $StartingDir"  
     icacls.exe $StartingDir    
     ""  
     "icacls.exe ""$StartingDir\New Folder1"""  
     icacls.exe "$StartingDir\New Folder1"  
      
    

    --------------------------------------------------------

    remove-item : Cannot find path 'C:\temp\PermTest' because it does not exist.  
    At line:5 char:2  
    +  remove-item $StartingDir -Recurse  
    +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
        + CategoryInfo          : ObjectNotFound: (C:\temp\PermTest:String) [Remove-Item], ItemNotFoundException  
        + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand  
       
    processed file: c:\temp\PermTest  
    processed file: c:\temp\PermTest\New Folder1  
    processed file: c:\temp\PermTest\New Folder2  
    processed file: c:\temp\PermTest\New Folder1\userdata  
    processed file: c:\temp\PermTest\New Folder2\userdata  
    Successfully processed 5 files; Failed processing 0 files  
    processed file: c:\temp\PermTest  
    Successfully processed 1 files; Failed processing 0 files  
    Processing C:\temp\PermTest\New Folder1  
    processed file: C:\temp\PermTest\New Folder1  
    Successfully processed 1 files; Failed processing 0 files  
    Processing C:\temp\PermTest\New Folder2  
    processed file: C:\temp\PermTest\New Folder2  
    Successfully processed 1 files; Failed processing 0 files  
      
    icacls.exe c:\temp\PermTest  
    c:\temp\PermTest NT AUTHORITY\Authenticated Users:(CI)(RX)  
                     BUILTIN\Administrators:(OI)(CI)(F)  
      
    Successfully processed 1 files; Failed processing 0 files  
      
    icacls.exe "c:\temp\PermTest\New Folder1"  
    c:\temp\PermTest\New Folder1 NT AUTHORITY\Authenticated Users:(OI)(CI)(M)  
                                 NT AUTHORITY\Authenticated Users:(I)(CI)(RX)  
                                 BUILTIN\Administrators:(I)(OI)(CI)(F)  
      
    Successfully processed 1 files; Failed processing 0 files  
      
    PS C:\Temp>   
    

    In the above output, note the 2 ACLs on the PermTest folder and the 3 ACLs on the New Folder1.

    36972-capture.jpg

    If you create a New Folder3 after you run the script, you will be missing the Modify ACL but you will still get the inherited ACLs.

    36936-capture1.jpg

    Effective access should look like this.

    36750-capture3.jpg

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.