RemoveAccessRule is not working for non-inherited ACEs

I.A 1 Reputation point
2020-12-16T20:42:34.83+00:00

I am using RemoveAccessRule to remove some NTFS permissions.

The script (too long to post) cycles through ACEs ($DACL) and should remove the entry.

It works for some folders and for others it does not work and the entry does not get removed without any errors and generating "True" as the result.

This is the partial script:

if ($DACL.IsInherited -eq $false) {
$SecDescriptor.RemoveAccessRule($DACL) | Out-Null
Set-Acl -Path $FolderName $SecDescriptor
}

This is the value of $DACL I am trying to delete:

(This is $DACL | FL in the debugger:)

FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : MyDomain\Domain Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None

I stepped through the script with a debugger verifying $SecDescriptor and $DACL at each step and I see no reason why it is working in one case and not working in the other case. I definitely have permissions to delete this entry, as I can remove itin GUI. But not in the script. No errors are generated and the entry I am trying to delete is not inherited.

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
1,986 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,754 questions