Share via

RemoveAccessRule is not working for non-inherited ACEs

I.A 1 Reputation point
2020-12-16T20:42:34.83+00:00

I am using RemoveAccessRule to remove some NTFS permissions.

The script (too long to post) cycles through ACEs ($DACL) and should remove the entry.

It works for some folders and for others it does not work and the entry does not get removed without any errors and generating "True" as the result.

This is the partial script:

if ($DACL.IsInherited -eq $false) {
$SecDescriptor.RemoveAccessRule($DACL) | Out-Null
Set-Acl -Path $FolderName $SecDescriptor
}

This is the value of $DACL I am trying to delete:

(This is $DACL | FL in the debugger:)

FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : MyDomain\Domain Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None

I stepped through the script with a debugger verifying $SecDescriptor and $DACL at each step and I see no reason why it is working in one case and not working in the other case. I definitely have permissions to delete this entry, as I can remove itin GUI. But not in the script. No errors are generated and the entry I am trying to delete is not inherited.

Windows development | Windows API - Win32
Windows for business | Windows Server | User experience | PowerShell

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.