NTFSSecurity
NTFSSecurity copied to clipboard
raandree
Remove-NTFSAccess cannot remove an ACE with the GenericAll AccessRights
Get-NTFSAccess -Path 'c:\mypath' -Account 'creator owner' | Remove-NTFSAccess
Results in the following error:
Remove-NTFSAccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
Parameter name: fileSystemRights
+ CategoryInfo : WriteError: (c:\mypath:String) [Remove-NTFSAccess], ArgumentOutO fRangeException
+ FullyQualifiedErrorId : RemoveAceError,NTFSSecurity.RemoveAccess
Sorry for the very late reply. I have tried to repro this and could not. I was be able to copy the respective permissions from a standard Windows folder and also remove it from the folder I have copied it to. The command I have used are these ones:
PS C:\Test> mkdir T1
Directory: C:\Test
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/26/2018 6:31 PM T1
PS C:\Test> Get-NTFSAccess -Path C:\Windows\Globalization | Add-NTFSAccess -Path C:\Test\T1
PS C:\Test> Get-NTFSAccess -Path C:\Test\T1
Path: C:\Test\T1 (Inheritance enabled)
Account Access Rights Applies to Type IsInherited InheritedFrom
------- ------------- ---------- ---- ----------- -------------
CREATOR OWNER Synchronize, GenericAll SubfoldersAndFilesOnly Allow False
NT AUTHORITY\SYSTEM Synchronize, GenericAll SubfoldersAndFilesOnly Allow False
NT AUTHORITY\SYSTEM Modify, Synchronize ThisFolderOnly Allow False
BUILTIN\Administrators Synchronize, GenericAll SubfoldersAndFilesOnly Allow False
BUILTIN\Administrators Modify, Synchronize ThisFolderOnly Allow False
BUILTIN\Users Synchronize, Generic... SubfoldersAndFilesOnly Allow False
BUILTIN\Users ReadAndExecute, Sync... ThisFolderOnly Allow False
NT SERVICE\TrustedInstaller Synchronize, GenericAll SubfoldersOnly Allow False
NT SERVICE\TrustedInstaller FullControl ThisFolderOnly Allow False
APPLICATION PACKAGE AUTHORITY\AL... ReadAndExecute, Sync... ThisFolderOnly Allow False
APPLICATION PACKAGE AUTHORITY\AL... Synchronize, Generic... SubfoldersAndFilesOnly Allow False
APPLICATION PACKAGE AUTHORITY\AL... ReadAndExecute, Sync... ThisFolderOnly Allow False
APPLICATION PACKAGE AUTHORITY\AL... Synchronize, Generic... SubfoldersAndFilesOnly Allow False
NT AUTHORITY\Authenticated Users Modify, Synchronize ThisFolderOnly Allow True C:\Test
NT AUTHORITY\Authenticated Users Delete, GenericExecu... SubfoldersAndFilesOnly Allow True C:\Test
NT AUTHORITY\SYSTEM FullControl ThisFolderSubfoldersAn... Allow True C:\Test
BUILTIN\Administrators FullControl ThisFolderSubfoldersAn... Allow True C:\Test
BUILTIN\Users ReadAndExecute, Sync... ThisFolderSubfoldersAn... Allow True C:\Test
PS C:\Test> Get-NTFSAccess -Path C:\Test\T1 | Where-Object { $_.Account -eq 'CREATOR OWNER' } | Remove-NTFSAccess
PS C:\Test> Get-NTFSAccess -Path C:\Test\T1
Path: C:\Test\T1 (Inheritance enabled)
Account Access Rights Applies to Type IsInherited InheritedFrom
------- ------------- ---------- ---- ----------- -------------
NT AUTHORITY\SYSTEM Synchronize, GenericAll SubfoldersAndFilesOnly Allow False
NT AUTHORITY\SYSTEM Modify, Synchronize ThisFolderOnly Allow False
BUILTIN\Administrators Synchronize, GenericAll SubfoldersAndFilesOnly Allow False
BUILTIN\Administrators Modify, Synchronize ThisFolderOnly Allow False
BUILTIN\Users Synchronize, Generic... SubfoldersAndFilesOnly Allow False
BUILTIN\Users ReadAndExecute, Sync... ThisFolderOnly Allow False
NT SERVICE\TrustedInstaller Synchronize, GenericAll SubfoldersOnly Allow False
NT SERVICE\TrustedInstaller FullControl ThisFolderOnly Allow False
APPLICATION PACKAGE AUTHORITY\AL... ReadAndExecute, Sync... ThisFolderOnly Allow False
APPLICATION PACKAGE AUTHORITY\AL... Synchronize, Generic... SubfoldersAndFilesOnly Allow False
APPLICATION PACKAGE AUTHORITY\AL... ReadAndExecute, Sync... ThisFolderOnly Allow False
APPLICATION PACKAGE AUTHORITY\AL... Synchronize, Generic... SubfoldersAndFilesOnly Allow False
NT AUTHORITY\Authenticated Users Modify, Synchronize ThisFolderOnly Allow True C:\Test
NT AUTHORITY\Authenticated Users Delete, GenericExecu... SubfoldersAndFilesOnly Allow True C:\Test
NT AUTHORITY\SYSTEM FullControl ThisFolderSubfoldersAn... Allow True C:\Test
BUILTIN\Administrators FullControl ThisFolderSubfoldersAn... Allow True C:\Test
BUILTIN\Users ReadAndExecute, Sync... ThisFolderSubfoldersAn... Allow True C:\Test
If you can still repro this, can you give me some more details?
I'll have an opportunity to test again tomorrow. I'll provide more info then.
Here's what I'm seeing:
Get-NTFSAccess -Path $TeamMount.DeviceID -Account 'CREATOR OWNER' | Remove-NTFSAccess
seems to work
Remove-NTFSAccess -Path $TeamMount.DeviceID -AccessRights GenericAll -Account 'CREATOR OWNER' -AccessType Allow -AppliesTo SubfoldersAndFilesOnly
does not.
So I'm going to change my approach, and see how it goes!
Late to the party but I ran into this with trying to remove invalid SIDS from Shares. Seems if the AccessRights are GenericAll this issue comes up.
Get-NTFSOrphanedAccess -Path $UserShare | Remove-NTFSAccess
I feel as though the workaround that @raandree demonstrates above was working, but today, running 4.2.4 on a Server2016 instance, it no longer is:
PS C:\Users\myaccount\Documents> get-ntfsaccess -Path T:\HCSO\ | where Account -eq 'creator owner' | Remove-NTFSAccess
Remove-NTFSAccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
Parameter name: fileSystemRights
+ CategoryInfo : WriteError: (T:\HCSO:String) [Remove-NTFSAccess], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : RemoveAceError,NTFSSecurity.RemoveAccess
nor is
PS C:\Users\myaccount\Documents> get-ntfsaccess -Path T:\HCSO\ -Account 'creator owner' | remove-ntfsaccess
remove-ntfsaccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
Parameter name: fileSystemRights
+ CategoryInfo : WriteError: (T:\HCSO:String) [Remove-NTFSAccess], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : RemoveAceError,NTFSSecurity.RemoveAccess
There are enough variables in the equation (new version of the module, new server version), that I'm not willing to pin this on any one entity at this point.
[Server]: PS H:\caxx\HOME> Remove-NTFSAccess -Path .\DAHA007\ -Account BUILTIN\Administrators -AccessRights GenericAll
Remove-NTFSAccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
Parameter name: fileSystemRights
+ CategoryInfo : WriteError: (.\DAHA007\:String) [Remove-NTFSAccess], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : RemoveAceError,NTFSSecurity.RemoveAccess
I realize now that in the past I've always associated the problem with the user portion of the ACE, but it is clearly the access rights part.
Nonetheless, I'm able to replicate the problem in 4.2.4
It happens when I try to remove the Everyone ACE when it has these rights.
Account Access Rights Applies to Type IsInherited InheritedFrom
Everyone GenericAll SubfoldersAndFilesOnly Allow False
Just an update: I can confirm that this is still an issue in 4.2.6
PS C:\WINDOWS\system32> Get-NTFSAccess \\itinfpw022\itxxhome\JAPE004 -Account HC_ACCT\TrainerJami
Path: \\itinfpw022\itxxhome\JAPE004 (Inheritance enabled)
Account Access Rights Applies to Type IsInherited InheritedFrom
------- ------------- ---------- ---- ----------- -------------
HC_ACCT\TrainerJami FullControl ThisFolderOnly Allow False
HC_ACCT\TrainerJami GenericAll SubfoldersAndFilesOnly Allow False
PS C:\WINDOWS\system32> Get-NTFSAccess \\itinfpw022\itxxhome\JAPE004 -Account HC_ACCT\TrainerJami |Remove-NTFSAccess
Remove-NTFSAccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
Parameter name: fileSystemRights
At line:1 char:76
+ ... w022\itxxhome\JAPE004 -Account HC_ACCT\TrainerJami |Remove-NTFSAccess
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (\\itinfpw022\itxxhome\JAPE004:String) [Remove-NTFSAccess], ArgumentOutOfRan
geException
+ FullyQualifiedErrorId : RemoveAceError,NTFSSecurity.RemoveAccess
and
PS C:\WINDOWS\system32> Remove-NTFSAccess -Path \\itinfpw022\itxxhome\JAPE004 -Account HC_ACCT\TrainerJami -AccessRights GenericAll -AccessType Allow
Remove-NTFSAccess : The value '269484032' is not valid for this usage of the type FileSystemRights.
Parameter name: fileSystemRights
At line:1 char:1
+ Remove-NTFSAccess -Path \\itinfpw022\itxxhome\JAPE004 -Account HC_ACC ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (\\itinfpw022\itxxhome\JAPE004:String) [Remove-NTFSAccess], ArgumentOutOfRan
geException
+ FullyQualifiedErrorId : RemoveAceError,NTFSSecurity.RemoveAccess
Still broken.
Well, since there have been no commits since July of last year - that's really not a surprise.
I see. Did anyone find another solution? I have a million folders I need to remove the GenericRead attribute from a group.
Hey folks following this issue. I just noticed something, and I'm hoping you can test this out!
I found a directory with a GenericAll ACE as reported by Get-NTFSAccess.
Contoso\someuser GenericAll SubfoldersAndFilesOnly Allow False
Using the Windows GUI (right click, properties, permissions, advanced) I took a look at that person's permissions, and it showed "FullAccess Subfolders and Files Only" So I tried to give my account the same rights (again via the gui) but when I checked with Get-NTFSAccess it showed BOTH my account and the other user as now having
Contoso\MyAccount FullControl SubfoldersAndFilesOnly Allow False
Contoso\someuser FullControl SubfoldersAndFilesOnly Allow False
And then I could delete both ACEs with remove-ntfsaccess
So I would like you all to try that as well. I hope I've explained that well enough that you can reproduce my actions. I'm not saying this is a solution, but I'm hoping that it can provide some information that will help resolve this in the long run.
I know we'd all like to see this resolved, and I have to admit, I was really looking forward to having some face to face time with Raimund this week as he was scheduled to present at the PowerShell + DevOps Global Summit in Bellevue, WA.
Following up on my previous comment, I found another directory with a similar ACE.
This time I tried Giving myself GenericalAll via Add-NTFSAccess. What I found was that instead of AccessRights "GenericAll", I had received Access Rights "Synchronize, GenericAll", Further I found that I could remove those rights with remove-ntfsaccess
So I though, "what if I try giving the user with GenericAll right, the same rights again?"
Will they get that Synchronize right?
Add-NTFSAccess -Path H:\CAXX\HOME\anotheruser -Account Contoso\anotheruser -AccessRights GenericAll -AccessType Allow -AppliesTo SubfoldersAndFilesOnly
Well, lo and behold, they do!! They end up with
Contoso\anotheruser Synchronize... SubfoldersAndFilesOnly Allow False
And now you can easily remove that ACE
So I think we have a WORKAROUND
$Path = "T:\This\Dir"
$Account = "Contoso\ThatAccount"
$ACE = Get-NTFSAccess -Path $Path -Account $account
try {
$ACE | Remove-NTFSAccess -ErrorAction Stop
}
catch {
Add-NTFSAccess -Account $Account -Path $Path -AccessRights GenericAll -AccessType Allow -AppliesTo SubfoldersAndFilesOnly
Get-NTFSAccess -Path $path -account $Account | Remove-NTFSAccess
}
EDIT: Yes, I realize that this could be an expensive operation depending on the number of files and folders in a directory tree. Let me know what you think!
Hello @AspenForester,
I had the same issue. Your solution is interesting and I will try it. On my side, I used the Get-Acl and Set-Acl cmdlets.
It appears that those weird ACEs exist because of a bad inheritance. In my company, there are more than one ACE for the Authenticated Users group on the C: drive. The purpose is to prevent the Authenticated Users to write directly on C. They can create folders, append data, but that's all. There is another ACE which allows them to write into the subfolders.
I created C:\Temp\Test. Test folder inherits permissions of C:. But there is an additional ACE which isn't required:
Account Access Rights Applies to Type IsInherited InheritedFrom
------- ------------- ---------- ---- ----------- -------------
BUILTIN\Administrators FullControl ThisFolderSubfoldersAn... Allow True C:
NT AUTHORITY\SYSTEM FullControl ThisFolderSubfoldersAn... Allow True C:
BUILTIN\Users ReadAndExec... ThisFolderSubfoldersAn... Allow True C:
NT AUTHORITY\Authenticated Users Modify, Syn... ThisFolderOnly Allow True C:
NT AUTHORITY\Authenticated Users Delete, Gen... SubfoldersAndFilesOnly Allow True C:
There is this Delete, Generic something ACE that I don't want. For now, inheritance is enabled. If I disable it from Windows UI, it works fine. If I use Disable-NTFSAccessInheritance, it's another story as the weird ACE stays. If you look at it with Get-NTFSAccess, the access right stays as Delete, Generic something. If you look at it with Get-Acl, it's even weirder:
PS C:\WINDOWS\system32> (Get-Acl -Path "C:\Temp\Test").Access
FileSystemRights : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
I'm talking about this: FileSystemRights : -536805376. It's a kind of mask. I tried to remove it with Remove-NTFSAccess. But AccessRights argument doesn't accept this number. That's why I used Get-Acl and Set-Acl to remove it:
$path = "C:\Temp\Test"
$acl = Get-Acl -LiteralPath $path
$rules = $acl.Access | Where-Object { ($_.IsInherited -Eq $False) -and ($_.IdentityReference -Like "NT AUTHORITY\Authenticated Users") }
ForEach($rule in $rules)
{
$acl.RemoveAccessRule($rule)
}
$acl | Set-Acl -LiteralPath $path
And then, I end up with the same ACE as you. With the Synchronise access right that I can easily remove. I'm still exploring here, so I might find something else. I will try your solution anyway.
Edit: It seems that when you use File Explorer to disable the inheritance, Windows automatically merge the permissions. If you look again at the ACL displayed with Get-Acl. There is one ACE where FileSystemRights = -536805376. It's definitely an ACE for the users group Authenticated Users as IdentityReference = NT AUTHORITY\Authenticated Users. But, for this ACE, we can see the flags:
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
If you look at the second ACE related to the group Authenticated Users. This time, we have a proper access rights which are Modify, Synchronize. But, the flags are not set:
InheritanceFlags : None
PropagationFlags : None
So, I think this is why these permissions are merged when you disable inheritance using File Explorer. But the same thing doesn't happen with Disable-NTFSAccessInheritance. I tried with the Set-Acl cmdlet too, it does the same as Disable-NTFSAccessInheritance. The permissions aren't merged and you have to handle the extra ACE. The code to disable the inheritance with Set-Acl is the following:
$path = "C:\Temp\Test"
$acl = Get-Acl -LiteralPath $path
$acl.SetAccessRuleProtection($True, $True)
$acl | Set-Acl -LiteralPath $path
The first True disables the inheritance, the second one copies the ACEs as explicit permissions.
Also, as I'm talking about merging permissions, here is how the C: permissions look like on my system. And that's why the permissions on subfolders are different:
PS C:\WINDOWS\system32> Get-NTFSAccess -Path "C:\"
Path: C:\ (Inheritance enabled)
Account Access Rights Applies to Type IsInherited InheritedFrom
------- ------------- ---------- ---- ----------- -------------
Everyone Traverse, ReadAttribu... ThisFolderOnly Allow False
NT AUTHORITY\RESTRICTED Traverse, ReadAttribu... ThisFolderOnly Allow False
NT AUTHORITY\SYSTEM FullControl ThisFolderOnly Allow False
BUILTIN\Administrators FullControl ThisFolderOnly Allow False
With Get-Acl:
PS C:\WINDOWS\system32> (Get-Acl -Path "C:\").Access
FileSystemRights : AppendData
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTIN\Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
And here is how it looks in File Explorer:
I ran into the same issue regarding Remove-NTFSAccess when CREATOR OWNER, GenericAll is involved. Enable-NTFSAuditInheritance also broke in a way I did not investigate further.
However, I recognized that everything works properly with the old module version 2.4 (sadly not available on the PowershellGallery). Maybe this helps the maintainer to debug what went wrong.
Working example with v2.4
NTFSSecurity\Get-Access -Path "$Path" -ExcludeInherited | NTFSSecurity\Remove-Access
NTFSSecurity\Enable-AuditInheritance -Path "$Path"
Broken example with v4.2.6
NTFSSecurity\Get-NTFSAccess -Path "$Path" -ExcludeInherited | NTFSSecurity\Remove-NTFSAccess
NTFSSecurity\Enable-NTFSAuditInheritance -Path "$Path"
I don't use this module. I always work with the "built in" Get-ACL and Set-ACL. It is a bit more work, but I have experience gathered with it. But if I want to remove an access rule with such an "illegal" access right set (most of the time just a negative number) I run in to a similar issue by using RemoveAccessRule.
Example:
# Remove all existing access rules
$ObjFolderACL.Access | Where-Object {$_.IsInherited -eq $False} | %{$ObjFolderACL.RemoveAccessRule($_)} | Out-Null
I could solve it by removing the rules I what with PurgeAccessRules: ObjectSecurity.PurgeAccessRules(IdentityReference) Method
Example:
$UserIdentity = New-Object System.Security.Principal.Ntaccount($NetBIOSDomainName + "\" + $UsersAMAccountName)
$ObjFolderACL.PurgeAccessRules($UserIdentity)
Set-Acl -Path $HomeFolder -AclObject $ObjFolderACL
