This script allows to remove the “Users” Group from the Access Control List (ACL) of a file or folder.
First, the NTFS rights inheritance is removed, then the “Users” group is removed from ACL.
To play with ACL, the Cmdlet to use is the following: Get-Acl
TechNet: https://technet.microsoft.com/fr-fr/library/hh849802.aspx
The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.
# File / folder path
$file = 'C:\workdir\test.txt'
# 1. Remove NTFS rights inheritance
$acl = Get-Acl -Path $file
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $file -AclObject $acl
# 2. Remove the "Users" group from ACL
$colRights = [System.Security.AccessControl.FileSystemRights] "FullControl"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType = [System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-Acl $file
$objACL.RemoveAccessRuleAll($objACE)
Set-Acl $file $objACL