This script allows to remove the “Users” Group from the Access Control List (ACL) of a file or folder.
First, the NTFS rights inheritance is removed, then the “Users” group is removed from ACL.
To play with ACL, the Cmdlet to use is the following: Get-Acl
TechNet: https://technet.microsoft.com/fr-fr/library/hh849802.aspx
The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.
# File / folder path $file = 'C:\workdir\test.txt' # 1. Remove NTFS rights inheritance $acl = Get-Acl -Path $file $acl.SetAccessRuleProtection($True, $True) Set-Acl -Path $file -AclObject $acl # 2. Remove the "Users" group from ACL $colRights = [System.Security.AccessControl.FileSystemRights] "FullControl" $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objType = [System.Security.AccessControl.AccessControlType]::Allow $objUser = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) $objACL = Get-Acl $file $objACL.RemoveAccessRuleAll($objACE) Set-Acl $file $objACL