Remove network drive permissions of a user in all subdirectories

Question

I am trying to remove a user from all subdirectories in a network share.

I have tried the following command: ICACLS X:\ /remove:g username /T

The command runs without failure (although it takes 3.5 hours due to the size of the shard drive) but after I check the permissions, the user's permissions are not deleted from anywhere.

If I navigate to a specific folder where I know that the user has access and run the command there (for example ICACLS X:\subdirectory /remove:g username /T ), it works just fine.

The issue seems to occur only if I try to run it from the root X:\ in which case, no permissions are deleted.

Any ideas why this might be the case?

P.S. I have F access on the root on the account I'm running the command with

Answer 1

Should do it with icacls /T. Unless the user running the command cannot read some directories. But if inheritance is enabled on the folders you probably have Administrators everywhere.

A simple PS Script can do it. With some try / catch around $acl | Set-Acl this can be used as a dry-mode in a non-privileged session. With a privileged session this will effectively replace the ACL on the directory.

$path = "X:"
$username = "Domain\User"
Get-Item -Path $path -Directory -Recurse | %{
    $acl = Get-Acl -Path $_.FullName
    $aces = $acl.Access | Where-Object { -not $_.IsInherited -and $_.IdentityReference.Value -eq $username }

    if ($aces -ne $null -and $aces.Count -gt 0) {

        Write-Host "Found $($aces.Count) ACE granted for $username on $($_.FullName)"

        foreach($ace in $aces) {
            $acl.RemoveAccessRule($ace)
        }
        $acl | Set-Acl -Path $_.FullName
    }
}