Remove “Users” Group from ACL

This script allows to remove the “Users” Group from the Access Control List (ACL) of a file or folder.

First, the NTFS rights inheritance is removed, then the “Users” group is removed from ACL.

To play with ACL, the Cmdlet to use is the following: Get-Acl


The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.


# File / folder path
$file = 'C:\workdir\test.txt'

# 1. Remove NTFS rights inheritance 
$acl = Get-Acl -Path $file
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $file -AclObject $acl

# 2. Remove the "Users" group from ACL
$colRights = [System.Security.AccessControl.FileSystemRights] "FullControl" 
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None 
$objType = [System.Security.AccessControl.AccessControlType]::Allow 
$objUser = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 
$objACL = Get-Acl $file 
Set-Acl $file $objACL