Summary:
I’m trying to script removing the modify permission of a particular folder (or file) for the "NT AUTHORITYAuthenticated Users" group, across multiple machines (actually as part of a file deployment script). I have some code that attempts to do this, but it is not working as expected.
Context:
The script copies down a file structure locally, and a particular file (ideally the whole folder structure) needs to be made unmodifiable (by non-admins). Setting the read-only setting isn’t sufficient, since it can be reverted by those with modify permissions to the file.
My attempt:
$folder = "C:folder"
$file = "C:folderfile.ext"
# Get the existing ACL
$acl = Get-Acl -Path $folder
# See what it looks like
$acl.Access | ft
# Target and remove the specific modify rule
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITYAuthenticated Users","Modify","Allow")
$acl.RemoveAccessRule($rule)
# Check that the modification to the PS object took
$acl.Access | ft
# Perform the modification
$acl | Set-Acl -Path $folder
# Check that the modification to the folder/file took
$acl = Get-Acl -Path $folder
$acl.Access | ft
My results:
The .RemoveAccessRule()
call has no effect on the ACL (even though it returns True
), as shown by the second $acl.Access | ft
. As such, the Set-Acl
call has no effect either. I suspect that perhaps I’m not targeting the rule I want correctly, and perhaps the .RemoveAccessRule()
call is returning True
just because there were technically no "failures". But that’s just a shot in the dark.
Here is what the output of $acl.Access | ft
looks like in all cases:
FileSystemRights AccessControlType IdentityReference IsInherited InheritanceFlags PropagationFlags
---------------- ----------------- ----------------- ----------- ---------------- ----------------
FullControl Allow BUILTINAdministrators True None None
FullControl Allow NT AUTHORITYSYSTEM True None None
Modify, Synchronize Allow NT AUTHORITYAuthenticated Users True None None
ReadAndExecute, Synchronize Allow BUILTINUsers True None None
I just can’t get rid of that Modify
flag. I’ve also tried targeting the file directly (replacing references to $folder
with $file
in the above code), but the result is the same. I’ve also tried replacing NT AUTHORITYAuthenticated Users
with just Authenticated Users
, to no effect.
Question:
Presumably I’m just doing it wrong. I’m fluent in Powershell, but have no previous experience using it to configure NTFS permissions. Perhaps I need to target the desired rule differently, or perhaps I need to overwrite it with .SetAccessRule()
instead somehow…
How can I achieve this with Powershell? Thanks for your time.
Sources:
- Here is the example I’ve been working from (under the "Removing File or Folder Permissions) section: https://petri.com/how-to-use-powershell-to-manage-folder-permissions
- No examples of this use case are given on the official Set-Acl documentation: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl
- I’ve also taken a look through the documentation for the System.Security.AccessControl.FileSystemSecurity class and its methods, however the method documentation gives no relevant examples: https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemsecurity?view=net-5.0#methods
My environment:
- Windows 10 x64 20H2
- Powershell 5.1
- In my testing, I’m running the code in an elevated Powershell console, as a user with local admin permissions. In practice the code will be run by MECM in the same script that copies the files down (presumably as SYSTEM or some such).
Source: Windows Questions