Removing access control entries

Individual rules may be removed from an access control list using a number of different methods:

  • RemoveAccessRule: Matches IdentityReference and AccessMask
  • RemoveAccessRuleAll: Matches IdentityReference
  • RemoveAccessRuleSpecific: Exact match

The access mask is a generic term used to refer to the specific rights granted (filesystem rights for a file or directory and registry rights for a registry key).

To demonstrate rule removal, explicit entries might be added to ACL. Enabling, then disabling, access rule protection will add new rules: the original inherited set and an explicitly set copy of the same rules.

To enable access rule protection and copy inherited rules:

$acl = Get-Acl C:TempACL3 
$acl.SetAccessRuleProtection($true, $true) 
Set-Acl C:TempACL3 -AclObject $acl

In disable protection, once committed, the inherited rules will appear alongside the copied rules:

$acl = Get-Acl C:TempACL3 
$acl.SetAccessRuleProtection($false, $true) 
Set-Acl C:TempACL3 -AclObject $acl

The rules may be viewed on ACL:

PS> $acl = Get-Acl C:TempACL3
$acl.Access | Select-Object IdentityReference, FileSystemRights, IsInherited

IdentityReference                          FileSystemRights IsInherited
-----------------                          ---------------- -----------
NT AUTHORITYAuthenticated Users                 -536805376       False
NT AUTHORITYAuthenticated Users        Modify, Synchronize       False
NT AUTHORITYSYSTEM                             FullControl       False
NT AUTHORITYSYSTEM                               268435456       False
BUILTINAdministrators                            268435456       False
BUILTINAdministrators                          FullControl       False
BUILTINUsers                   ReadAndExecute, Synchronize       False
BUILTINAdministrators                          FullControl        True
BUILTINAdministrators                            268435456        True
NT AUTHORITYSYSTEM                             FullControl        True
NT AUTHORITYSYSTEM                               268435456        True
BUILTINUsers                   ReadAndExecute, Synchronize        True
NT AUTHORITYAuthenticated Users        Modify, Synchronize        True
NT AUTHORITYAuthenticated Users                 -536805376        True

The following example finds each of the explicit rules and removes each from ACL:

$acl = Get-Acl C:TempACL3     
$acl.Access | 
Where-Object { -not $_.IsInherited } | 
    ForEach-Object{ $acl.RemoveAccessRuleSpecific($_) } 
Set-Acl C:TempACL3 -AclObject $acl
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.189.178.237