Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Remove Users group permissions from a folder

  • Filter
  • Time
  • Show
Clear All
new posts

  • Remove Users group permissions from a folder


    Can you guys help me out with a vbs script (or command line) in which i remove ALL permissions for the USERS group from a specific folder.
    I tried with CACLS "[path_to_folder]" /remove Users:g /T /C but it does not work.
    The end behavior should be a admin password prompt when a user tries to open the folder.


  • #2
    Have you tried to run a CACLS inquiry to display all the current permissions first? I ask because 'USERS' from your description vs 'Users' in the code example, may not be enough of an ident. It could equate to '<servername>\Users' vs '<domain>\Authenticated Users'. The exact name and case could be the one thing tripping you up.
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **


    • #3
      First of all, i made a mistake in the command i used. I tried with ICACLS, not CACLS.
      I tried some more with CACLS, and got it to work, partially.
      The command i used is CACLS "[path_to_folder]" /E /T /R Users. It working in the sense that when i try to access the folder from a domain user i am prompted to enter the admin credentials. But after i enter them the permissions are granted to the whole Users group, not just to the user i was logged on to. So if i login with another user i can access the folder. Normally only the user on which i was logged on when entering the admin credentials should have access to that folder, not the whole users group.

      So, any ideas on how to make it not give access rights to the whole users group after i enter the admin credentials from one user?


      • #4
        I managed to make it work
        The command line used is: icacls "[path_to_folder]" /inheritance:d /remove:g Users
        The only downside is i have to run the command twice. First run it removes the inheritance, second run it revokes access. Have no idea why it doesn't work in one go, but not problem to run it twice.


        • #5
          That is the same as behaviour in the GUI - you break inheritance, copying permissions, as one operation, then you change permissions as a second operation, so I would consider it the default behaviour. If you did not remove inheritance first, you could not change permissions at all
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd

          ** Remember to give credit where credit is due and leave reputation points where appropriate **


          • #6
            Yeap, i noticed that i can't do it in one go from the GUI either, so i guess you're right. This seems to be the default behavior.


            • #7
              Are you restricted to using VBS?

              Add this to powershell

              Run this

               $acl = Get-ACL 't:\89\src' $rules = $acl.access | Where-Object {      (-not $_.IsInherited) -and      $_.IdentityReference -like "DOMAIN\*"  } ForEach($rule in $rules) {     $acl.RemoveAccessRule($rule) | Out-Null } Set-ACL -Path 't:\89\src' -AclObject $acl
              Taken from here