Remove Users group permissions from a folder

Home Forums Scripting Windows Script Host Remove Users group permissions from a folder

This topic contains 6 replies, has 5 voices, and was last updated by  Adalberto 1 year, 5 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author

  • KodiaK


    Can you guys help me out with a vbs script (or command line) in which i remove ALL permissions for the USERS group from a specific folder.
    I tried with CACLS “[path_to_folder]” /remove Users:g /T /C but it does not work.
    The end behavior should be a admin password prompt when a user tries to open the folder.



    Have you tried to run a CACLS inquiry to display all the current permissions first? I ask because ‘USERS’ from your description vs ‘Users’ in the code example, may not be enough of an ident. It could equate to ‘Users’ vs ‘Authenticated Users’. The exact name and case could be the one thing tripping you up.


    First of all, i made a mistake in the command i used. I tried with ICACLS, not CACLS.
    I tried some more with CACLS, and got it to work, partially.
    The command i used is CACLS “[path_to_folder]” /E /T /R Users. It working in the sense that when i try to access the folder from a domain user i am prompted to enter the admin credentials. But after i enter them the permissions are granted to the whole Users group, not just to the user i was logged on to. So if i login with another user i can access the folder. Normally only the user on which i was logged on when entering the admin credentials should have access to that folder, not the whole users group.

    So, any ideas on how to make it not give access rights to the whole users group after i enter the admin credentials from one user?


    I managed to make it work :)
    The command line used is: icacls “[path_to_folder]” /inheritance:d /remove:g Users
    The only downside is i have to run the command twice. First run it removes the inheritance, second run it revokes access. Have no idea why it doesn’t work in one go, but not problem to run it twice.


    That is the same as behaviour in the GUI – you break inheritance, copying permissions, as one operation, then you change permissions as a second operation, so I would consider it the default behaviour. If you did not remove inheritance first, you could not change permissions at all


    Yeap, i noticed that i can’t do it in one go from the GUI either, so i guess you’re right. This seems to be the default behavior.


    Are you restricted to using VBS?

    Add this to powershell

    Run this

    $acl = Get-ACL ‘t:89src’ $rules = $acl.access | Where-Object { (-not $_.IsInherited) -and $_.IdentityReference -like “DOMAIN*” } ForEach($rule in $rules) { $acl.RemoveAccessRule($rule) | Out-Null } Set-ACL -Path ‘t:89src’ -AclObject $acl [/CODE]

    Taken from here [url][/url][CODE]
    $acl = Get-ACL ‘t:89src’ $rules = $acl.access | Where-Object { (-not $_.IsInherited) -and $_.IdentityReference -like “DOMAIN*” } ForEach($rule in $rules) { $acl.RemoveAccessRule($rule) | Out-Null } Set-ACL -Path ‘t:89src’ -AclObject $acl [/CODE]

    Taken from here

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.