Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, February 22, 2012 8:44 PM | 1 vote
hi friends
in win2008 R2, i want to know is it possible to remove multiple users permissions from security tab of a folder at once ? ( at one icacls command ? )
for example in my C: drive, i have a folder called "MyFolder" to which the user1 and person2 and teacher3 have Modify permission.
i want to remove their permissions from MyFolder at once. i tried this command but it doesn't work :
icacls c:\MyFolder /remove:g user1,person2,teacher3 doesn't work.
any solution please
thanks in advance
All replies (7)
Thursday, February 23, 2012 1:21 AM âś…Answered
Run the command prompt as Administrator, then try it with the domain name:
icacls c:\MyFolder /remove:g domain\user1, domain\person2, domain\teacher3 (with commas)
or
icacls c:\MyFolder /remove:g domain\user1 domain\person2 domain\teacher3 (without commas)
.
Ace
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, February 23, 2012 4:20 AM
Run the command prompt as Administrator, then try it with the domain name:
icacls c:\MyFolder /remove:g domain\user1, domain\person2, domain\teacher3 (with commas)
or
icacls c:\MyFolder /remove:g domain\user1 domain\person2 domain\teacher3 (without commas)
.
Ace
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
hi Dear Ace, thank you very much for the solution. i really didn't find this solution anywhere
you are really great in network ;-)
best regards
Thursday, February 23, 2012 4:36 AM
You are welcome, John! :-)
Cheers!
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, March 18, 2016 6:48 PM
Hi All,
I have the same problem with a twist. We have a fileserver and recently moved the server from one domain to another. We have added all the permissions for the new domain and all is good, but I want to get rid of the old users on the server, but the names no longer resolve in active directory because we are not connected (and cannot connect to) the old domain. The old perms show as a series of GUIDs on the filesystem.
I tried removing them using the below both with and without commas
icacls *dirname * /remove S-1-5-21-124525095-708259637-1543119021-1366458 S-1-5-21-124525095-708259637-1543119021-1366039 S-1-5-21-124525095-708259637-1543119021-1458776 S-1-5-21-124525095-708259637-1543119021-20045 S-1-5-21-124525095-708259637-1543119021-461932 /t /c
The result is always the same:
Successfully processed 0 files; Failed processing 0 files
Is there anyway to remove these GUIDs?
thanks,
Kent
Saturday, March 19, 2016 3:06 AM | 1 vote
Hi All,
I have the same problem with a twist. We have a fileserver and recently moved the server from one domain to another. We have added all the permissions for the new domain and all is good, but I want to get rid of the old users on the server, but the names no longer resolve in active directory because we are not connected (and cannot connect to) the old domain. The old perms show as a series of GUIDs on the filesystem.
I tried removing them using the below both with and without commasicacls *dirname * /remove S-1-5-21-124525095-708259637-1543119021-1366458 S-1-5-21-124525095-708259637-1543119021-1366039 S-1-5-21-124525095-708259637-1543119021-1458776 S-1-5-21-124525095-708259637-1543119021-20045 S-1-5-21-124525095-708259637-1543119021-461932 /t /c
The result is always the same:
Successfully processed 0 files; Failed processing 0 files
Is there anyway to remove these GUIDs?
thanks,
Kent
I assume you started CMD as admin.
Did you try /remove:g?
ICACLS Reference
https://technet.microsoft.com/en-us/library/cc753525.aspx
.
If that doesn't work, try SubInACL:
subinacl /subdirectories C:\.* /cleandeletedsidsfrom=DomainName
Microsoft SubInACL Download
https://www.microsoft.com/en-us/download/details.aspx?id=23510
JSI Tip 8741. How can I remove invalid domain SIDs from the my file system permissions?
.
Or just use this script from the Script Gallery:
Remove orphaned SIDs from File/Folder ACL (PowerShell)
http://gallery.technet.microsoft.com/scriptcenter/Remove-orphaned-SIDs-from-2231b1f0
.
There's also one you can buy: Quest Storage Migrator, but with the tools above, I don't see the need unless you are migrating a large number of servers.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, March 21, 2016 10:17 PM
Thanks Ace!... I downloaded the powershell script and it works perfectly. Much better than finding all the abandoned GUIDs in the tree and listing them in a very long icacls command for deletion.
Tuesday, March 22, 2016 3:35 AM
Thanks Ace!... I downloaded the powershell script and it works perfectly. Much better than finding all the abandoned GUIDs in the tree and listing them in a very long icacls command for deletion.
That's great to hear that it worked!
You are welcome!
Cheers!
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.