Here is a copy of a nice little powershell script I threw together to help maintain permissions on servers.

Remove-Variable * -ErrorAction SilentlyContinue; Remove-Module *; $error.Clear(); Clear-Host

$RootFSPath = "G:\users3"

Function GetFolderACL([string]$User, [bool]$Recursive) 
{
    $filePath = "$RootFSPath\$User"
    #Get-Acl -Path $filePath | Format-List
    $filePathacl = Get-Acl -Path $filePath
    if ($Recursive -eq $True)
    {
        $folders = Get-ChildItem $filePath -Recurse #-Directory
        foreach ($folder in $folders)
        {
            #Get-Acl -Path $folder.FullName | Format-List
            foreach ($access in $filePathacl.Access) 
            {
                if ($access.IdentityReference.Value -eq "YourDomain\$user" -and $access.FileSystemRights -eq "Modify, Synchronize") 
                {
                    continue
                }
                if ($access.IdentityReference.Value -eq "NT AUTHORITY\SYSTEM" -and $access.FileSystemRights -eq "FullControl") 
                {
                    continue
                }
                if ($access.IdentityReference.Value -eq "BUILTIN\Administrators" -and $access.FileSystemRights -eq "FullControl") 
                {
                    continue
                }
                if ($access.IdentityReference.Value -eq "YourDomain\Domain Admins" -and $access.FileSystemRights -eq "FullControl") 
                {
                    continue
                }
                Write-Host $access.IdentityReference $access.FileSystemRights
            }
        }
    }
}

Function GetFolderACLRecursive([string]$filePath, [string]$User,[bool]$Recursive) 
{

    if ($Recursive -eq $True)
    {
        $folders = Get-ChildItem $filePath -Recurse -Directory
        foreach ($folder in $folders)
        {
            GetFolderACLRecursive $folder.PSPath $true
        }
    }

    [bool]$UserPerm = $false
    [bool]$SystemPerm = $false
    [bool]$AdminPerm = $false
    [bool]$DomainAdminPerm = $false

    $Searcher = [ADSISearcher]"(sAMAccountName=$folder)"
    $Results = $Searcher.FindOne()

    If ($Results -eq $Null) 
    {
        if ($filePath -ne "$RootFSPath\")
        {
            #try your best not to wak the parent folder due to Hr's typeo's ;)
            Write-Host "$folder does not exist in AD, $filePath can be deleted... Deleting"
            Remove-Item –path $filePath –recurse -force
            $UserPerm = $true
        }
    }
    else #If they do exit check the ACLS
    {
        $filePathacl = Get-Acl -Path $filePath
        foreach ($access in $filePathacl.Access) 
        {
            if ($access.IdentityReference.Value -eq "YourDomain\$User" -and $access.FileSystemRights -eq "Modify, Synchronize") 
            {
                $UserPerm = $true
                continue
            }
            if ($access.IdentityReference.Value -eq "NT AUTHORITY\SYSTEM" -and $access.FileSystemRights -eq "FullControl") 
            {
                $SystemPerm = $true
                continue
            }
            if ($access.IdentityReference.Value -eq "BUILTIN\Administrators" -and $access.FileSystemRights -eq "FullControl") 
            {
                $AdminPerm = $true
                continue
            }
            if ($access.IdentityReference.Value -eq "YourDomain\Domain Admins" -and $access.FileSystemRights -eq "FullControl") 
            {
                $DomainAdminPerm = $true
                continue
            }

            Write-Host $filePath.PadRight(15) $access.IdentityReference $access.FileSystemRights 
        }

        if ($SystemPerm -eq $false)
        {
            Write-Host "Missing System Permission to $filePath"
        }

        if ($AdminPerm -eq $false)
        {
            Write-Host "Missing Admin Permission to $filePath"
        }

        if ($DomainAdminPerm -eq $false)
        {
            Write-Host "Missing DominAdmin Permission to $filePath"
        }

        if (($UserPerm -eq $false) -or ($SystemPerm -eq $false) -or ($AdminPerm -eq $false) -or ($DomainAdminPerm = $false))
        {
            return $false
        }
    }
}

Function SetFolderACL([string]$User, [bool]$Recursive, [bool]$EnableInheritance, [bool]$DisableInheritance) 
{  
    $filePath = "$RootFSPath\$User"
    $filePathacl = Get-Acl -Path $filePath

    if ($EnableInheritance -eq $True) #This should not happen if we are looking to disable Inheritance, We want to remove it from the parent folder last below in this code.
    {
        foreach ($access in $filePathacl.Access) 
        {
            #if ($access.IdentityReference.Value -eq $user) {
                #$acl.RemoveAccessRule($access) | Out-Null
                $filePathacl.RemoveAccessRule($access)
            #}
        }

        $filePathacl.SetAccessRuleProtection($false,$false)
        Set-Acl -Path $filePath -AclObject $filePathacl
    }

    if ($Recursive -eq $True)
    {
        $folders = Get-ChildItem $filePath -Recurse #-Directory
        foreach ($folder in $folders) 
        {
            $acl = Get-Acl -Path $folder.FullName

            Write-Host $folder.FullName

            if ($EnableInheritance -eq $True)
            {
                $acl.SetAccessRuleProtection($false,$false)
                Set-Acl -Path $folder.FullName -AclObject $acl
            }
            if ($DisableInheritance -eq $True)
            {
                $acl.SetAccessRuleProtection($true,$true)
                Set-Acl -Path $folder.FullName -AclObject $acl
            }

            foreach ($access in $acl.Access) {
                #if ($access.IdentityReference.Value -eq $user) {
                    #$acl.RemoveAccessRule($access) | Out-Null
                    $acl.RemoveAccessRule($access)
                #}
            }

            Set-Acl -Path $folder.FullName -AclObject $acl

        }
    }

    if ($DisableInheritance -eq $True) #This should not happen if we are looking to disable Inheritance, We want to remove it from the parent folder last below in this code.
    {
        $filePathacl = Get-Acl -Path $filePath   
        $filePathacl.SetAccessRuleProtection($true,$true)

        foreach ($access in $filePathacl.Access) 
        {
            #if ($access.IdentityReference.Value -eq $user) {
                #$acl.RemoveAccessRule($access) | Out-Null
                $filePathacl.RemoveAccessRule($access)
            #}
        }
        Set-Acl -Path $filePath -AclObject $filePathacl
    }

    $acl = Get-Acl -Path $filePath
    $permission = "YourDomain\$user", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow"
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($accessRule)
    $acl | Set-Acl $filepath
} 

Function SetStrightFolderACL([string]$User, [bool]$Recursive, [bool]$EnableInheritance, [bool]$DisableInheritance) 
{
    Write-Host $folder.FullName
    $filePath = "$RootFSPath\$User"
    $filePathacl = Get-Acl -Path $filePath
    $acl = Get-Acl -Path $filePath
    $permission = "YourDomain\$user", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow"
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($accessRule)
    $acl | Set-Acl $filepath 
}

$folders = Get-ChildItem "$RootFSPath" #-Recurse #-Directory
foreach ($folder in $folders) 
{
    $acl = Get-Acl -Path $folder.FullName
    #Write-Host (GetFolderACLRecursive "G:\users3\$folder" $folder $false)
    $result = GetFolderACLRecursive "$RootFSPath\$folder" $folder $false
    if ($result -eq $false)
    {
        $Searcher = [ADSISearcher]"(sAMAccountName=$folder)"
        $Results = $Searcher.FindOne()
        If ($Results -eq $Null) 
        {
            #Write-Host "Users does not exist in AD"
        }
        Else 
        {
            #Write-Host "User found in AD"
            SetFolderACL $folder.Name $true $false $True #Remove Inhairtance
            SetFolderACL $folder.Name $true $true $false #Enable Inhairtance
        }        
    }
    #Write-Host $folder.FullName
    #Write-Host $folder.Name
    #GetFolderACL $folder.Name $false
    #SetStrightFolderACL $folder.Name $true $true $false #Enable Inhairtance
    #SetFolderACL $user $true $true $false #Enable Inhairtance
}

exit

#GetFolderACL $user $true
SetFolderACL $user $true $false $True #Remove Inhairtance
SetFolderACL $user $true $true $false #Enable Inhairtance

exit

SetFolderACL $user $true $false $True #Remove Inhairtance

exit

SetFolderACL $user $true $true $false #Enable Inhairtance

exit

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax