Removing access control entries

Individual rules may be removed from an access control list using a number of different methods:

  • RemoveAccessRule: Matches IdentityReference and AccessMask
  • RemoveAccessRuleAll: Matches IdentityReference
  • RemoveAccessRuleSpecific: Exact match

Access mask is a generic term used to refer to specific rights granted (filesystem rights for a file or directory and registry rights for a registry key).

To demonstrate rule removal, explicit entries might be added to ACL. Enabling then disabling access rule protection will add new rules: the original inherited set and an explicitly set copy of the same rules.

To enable access rule protection and copy inherited rules, do the following:

$acl = Get-Acl C:TempACL3 
$acl.SetAccessRuleProtection($true, $true) 
Set-Acl C:TempACL3 -AclObject $acl

In disable protection, once committed, the inherited rules will appear alongside the copied rules:

$acl = Get-Acl C:TempACL3 
$acl.SetAccessRuleProtection($false, $true) 
Set-Acl C:TempACL3 -AclObject $acl

Rules may be viewed in ACL:

PS> $acl = Get-Acl C:TempACL3
PS> $acl.Access | Select-Object IdentityReference, FileSystemRights, IsInherited

IdentityReference                          FileSystemRights IsInherited
-----------------                          ---------------- -----------
NT AUTHORITYAuthenticated Users                 -536805376       False
NT AUTHORITYAuthenticated Users        Modify, Synchronize       False
NT AUTHORITYSYSTEM                             FullControl       False
NT AUTHORITYSYSTEM                               268435456       False
BUILTINAdministrators                            268435456       False
BUILTINAdministrators                          FullControl       False
BUILTINUsers                   ReadAndExecute, Synchronize       False
BUILTINAdministrators                          FullControl        True
BUILTINAdministrators                            268435456        True
NT AUTHORITYSYSTEM                             FullControl        True
NT AUTHORITYSYSTEM                               268435456        True
BUILTINUsers                   ReadAndExecute, Synchronize        True
NT AUTHORITYAuthenticated Users        Modify, Synchronize        True
NT AUTHORITYAuthenticated Users                 -536805376        True

The following example finds each explicit rule and removes it from ACL:

$acl = Get-Acl C:TempACL3     
$acl.Access | Where-Object IsInherited -eq $false | ForEach-Object {
    $acl.RemoveAccessRuleSpecific($_)
} 
Set-Acl C:TempACL3 -AclObject $acl
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.12.205