0

I have the following:

$dir = ".\AES.key"
$Acl = Get-Acl -Path $dir
$Acl.Access | ft

Which returns me:

FileSystemRights AccessControlType IdentityReference            IsInherited InheritanceFlags PropagationFlags
---------------- ----------------- -----------------            ----------- ---------------- ----------------
     FullControl             Allow NT-AUTORITÄT\SYSTEM                 True             None             None
     FullControl             Allow VORDEFINIERT\Administratoren        True             None             None
     FullControl             Allow GOOGLE\steso                        True             None             None

Is there any way to delete all entries except "GOOGLE\steso" from PowerShell. Thanks in advance

Thomas Steso
  • 29
  • 5
  • Possibly relevant: https://serverfault.com/questions/834046/remove-a-user-from-acl-completely-using-powershell and https://stackoverflow.com/questions/6622124/why-does-set-acl-on-the-drive-root-try-to-set-ownership-of-the-object – Jeff Zeitlin Jun 01 '22 at 19:30

1 Answers1

0

I am putting this here as it will be too long for a single comment string.

What you are showing is 'Inherited permission'

*** The common refrain is, you cannot remove inherited permissions without specifically removing inheritance.***

Details are here:

https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity.setaccessruleprotection.aspx

$acl.SetAccessRuleProtection($true,$false) | 
Set-Acl

This can cause you issues without carefully determining why you need to do this. Meaning that if you break the inheritance, then the inherited permissions won't be there anymore to remove.

See this other discussion as well:

https://social.technet.microsoft.com/Forums/ie/en-US/634bfe7d-132a-4a8e-9791-329a6c096aab/powershell-script-to-disable-inherit-from-parent-object-and-remove-modify

postanote
  • 15,138
  • 2
  • 14
  • 25
  • I don't believe the [`SetAccessRuleProtection` method](https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectsecurity.setaccessruleprotection?view=net-6.0) produces any output to the success stream, hence piping to `Set-Acl` is not valid. I believe you want to first set the object and then `Set-Acl $theAcl` – Santiago Squarzon Jun 02 '22 at 00:13