Remove specific user from ACL via Powershell

Simon Krausse 20 Reputation points
2024-05-21T09:46:18.9766667+00:00

I want to Remove a specific user from ACL via Powershell. Not just the permission of the user for the folder. I want the user gone from the directory.

The following post discribes my problem perfectly but the solution leads me to an 404 error^^

https://learn.microsoft.com/en-us/archive/msdn-technet-forums/6fbe497e-0ee5-41b5-802b-373466658b48

Does anybody know the solution?

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,222 questions
0 comments No comments
{count} votes

Accepted answer
  1. MotoX80 32,526 Reputation points
    2024-05-21T12:38:54.0666667+00:00

    You could modify the script that I posted to this question.

    https://learn.microsoft.com/en-us/answers/questions/624776/managing-windows-file-shares-with-powershell#answer-629300

    Microsoft used to have a tool named subinacl that you could use to replace one account with another. They decommissioned that tool. I wrote that script to help a user perform similar functionality.

    This is code that I hacked together and didn't parametrize and clean up. All you would have to do is to remove the statements that add the $NewGroup to the new ACL.

    Use WhatIf on the Set-Acl to test it and verify that it updates the folders that you expect.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Plamen Peev 80 Reputation points
    2024-05-21T14:36:11.4966667+00:00

    Hi @Simon Krausse , this script should work, just set the $folder and the $user variables with your own values. Apparently the way to remove the user via PowerShell is to remove all access rules associated with user, unlike via the GUI, where removing the user removes the rules as well. Please mark this answer as "Accepted" if it worked for you.

    $folder = "folder\path"
    $user = "host\user"
    
    $aclList = Get-Acl -Path $folder
    
    # Remove all rules in the list, associated with the user
    $aclList.Access | Where-Object { $_.IdentityReference -eq $user } | ForEach-Object {$aclList.RemoveAccessRule($_)} | Out-Null
    
    # Then reapply the updated list
    Set-Acl -Path $folder -AclObject $aclList
    
    0 comments No comments