I’m trying to script removing the modify permission of a particular folder (or file) for the "NT AUTHORITYAuthenticated Users" group, across multiple machines (actually as part of a file deployment script). I have some code that attempts to do this, but it is not working as expected.
The script copies down a file structure locally, and a particular file (ideally the whole folder structure) needs to be made unmodifiable (by non-admins). Setting the read-only setting isn’t sufficient, since it can be reverted by those with modify permissions to the file.
$folder = "C:folder" $file = "C:folderfile.ext" # Get the existing ACL $acl = Get-Acl -Path $folder # See what it looks like $acl.Access | ft # Target and remove the specific modify rule $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITYAuthenticated Users","Modify","Allow") $acl.RemoveAccessRule($rule) # Check that the modification to the PS object took $acl.Access | ft # Perform the modification $acl | Set-Acl -Path $folder # Check that the modification to the folder/file took $acl = Get-Acl -Path $folder $acl.Access | ft
.RemoveAccessRule() call has no effect on the ACL (even though it returns
True), as shown by the second
$acl.Access | ft. As such, the
Set-Acl call has no effect either. I suspect that perhaps I’m not targeting the rule I want correctly, and perhaps the
.RemoveAccessRule() call is returning
True just because there were technically no "failures". But that’s just a shot in the dark.
Here is what the output of
$acl.Access | ft looks like in all cases:
FileSystemRights AccessControlType IdentityReference IsInherited InheritanceFlags PropagationFlags ---------------- ----------------- ----------------- ----------- ---------------- ---------------- FullControl Allow BUILTINAdministrators True None None FullControl Allow NT AUTHORITYSYSTEM True None None Modify, Synchronize Allow NT AUTHORITYAuthenticated Users True None None ReadAndExecute, Synchronize Allow BUILTINUsers True None None
I just can’t get rid of that
Modify flag. I’ve also tried targeting the file directly (replacing references to
$file in the above code), but the result is the same. I’ve also tried replacing
NT AUTHORITYAuthenticated Users with just
Authenticated Users, to no effect.
Presumably I’m just doing it wrong. I’m fluent in Powershell, but have no previous experience using it to configure NTFS permissions. Perhaps I need to target the desired rule differently, or perhaps I need to overwrite it with
.SetAccessRule() instead somehow…
How can I achieve this with Powershell? Thanks for your time.
- Here is the example I’ve been working from (under the "Removing File or Folder Permissions) section: https://petri.com/how-to-use-powershell-to-manage-folder-permissions
- No examples of this use case are given on the official Set-Acl documentation: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl
- I’ve also taken a look through the documentation for the System.Security.AccessControl.FileSystemSecurity class and its methods, however the method documentation gives no relevant examples: https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemsecurity?view=net-5.0#methods
- Windows 10 x64 20H2
- Powershell 5.1
- In my testing, I’m running the code in an elevated Powershell console, as a user with local admin permissions. In practice the code will be run by MECM in the same script that copies the files down (presumably as SYSTEM or some such).
Source: Windows Questions