Powershell: Remove Inheritance, cloning the ACl and then removing a specific rule

This block of code was used to remove inheritance from all folders in the $RootFolder and Copy the current Permissions that were previously inherited.  Then it reloads the ACL to allow the Domain Users rule to be removed.  If you do not remove and save the inheritance first, the ACL will not remove the individual rule.

$RootFolder - "C:\Temp\"
cd $RootFolder

# Get list of Folders where Inheritance is enabled
$Folders = Get-ChildItem $RootFolder | ?{ $_.PSIsContainer } | ? {!(Get-Acl $_.FullName).AreAccessRulesProtected}

# Loop through Each Folder
ForEach ($Folder in $Folders)
{
    Echo $Folder

    # You must disable inheritance before you can remove
    # one of the rules from the ACL
    # Get ACL for current Folder

    $SourceACL = Get-ACL -Path $Folder
    echo "------====== BEFORE ======---------"
    echo $SourceACL.Access
    $SourceACL.SetAccessRuleProtection($True, $True)
    Set-Acl -Path $Folder -AclObject $SourceACL

    $SourceACL = Get-ACL -Path $Folder
    $rules =  $SourceACL.Access | Where-Object {($_.IdentityReference -like "DOMAIN\Domain Users")}
    #echo "------====== RULES ======---------"
    #echo $rules

    ForEach ($rule in $rules)
    {
       # echo "------====== RULE ======---------"
       # echo $rule

        $SourceACL.RemoveAccessRuleSpecific($rule)
    }
    echo "------====== AFTER ======---------"
    echo $SourceACL.Access

    #Removes the inheritance but copies existing ACE's

    Set-Acl -Path $Folder -AclObject $SourceACL
}

Comments

Post a Comment

Popular posts from this blog

Setting up a new Exchange 2013 DAG

Image
Our existing MS Exchange setup uses a Database Availability Group (DAG) to replicate the mailbox databases to another Exchange 2010 server located in another office. Recently we installed Exchange 2013 to replace our existing Exchange 2010 implementation and needed to setup a new DAG for the 2013 servers. Under 2012 the permissions for computer objects have changed slightly. When a DAG is configured it creates a Cluster Named Object (CNO) which is basically just a computer account for the DAG. If you are running Exchange 2013 on a 2012 server though the wizard is unable to create this object correctly because of the new permissions and instead you need to pre-setup the CNO in active directory so that the DAG can add the servers you assign.   Pre-stage CNO (Cluster Named Object) Open Active Directory Users and Computers. Expand the forest node. Right-click the organizational unit (OU) in which you want to create the new account, select New , and then select Computer . In N
Read more

Error setting Out of Office via Outlook during Exchange 2010/2013 Coexistence

Recently we implemented Exchange 2013. During the CoExistence period we experienced an issue with external users (accessing via Internet) not being able to set their OoO rule. This only seemed to affect those users whos mailbox still resided on the old 2010 Exchange server. The solution turned out to be one of those that you would never have stumbled upon and was only found because somebody else posted the exact same issue. After raising a case with MS and spending 48hr talking to support (not continually I suspect) the following solution was implemented   On E2k13 CAS server IIS manager. Highlight EWS virtual directory and select Configuration Editor In the drop down, select System.WebServer/ServerRuntime/ Then in the middle pane select UploadReadAheadSize and set it to 49152 Do an IISReset   Hope this helps somebody else   Ref: http://social.technet.microsoft.com/Forums/exchange/en-US/c5f80b3f-c73d-4911-b734-c9e846642bfa/exchange-2013-sp1-coexistence-exchange-2010-sp3-roll
Read more