Last active
June 15, 2023 13:06
-
-
Save DonovanDiamond/52592d8bb9f21f6be2134a8ceb45b68d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$DOMAIN = "" | |
$USERS_PATH = "C:\Users" | |
$SUBINACL_PATH = "C:\Windows\system32\subinacl.exe" | |
function Remove-UserPermissions { | |
[CmdletBinding()] | |
param( | |
[Parameter(Mandatory = $true)] | |
[string]$FolderPath, | |
[Parameter(Mandatory = $true)] | |
[string]$UserAccount | |
) | |
# Remove the user's permissions using subinacl.exe | |
& $SUBINACL_PATH /file "$FolderPath" /revoke="$UserAccount" | |
# Optionally, you can also remove the user's ownership using subinacl.exe | |
# & $subinaclPath /file "$FolderPath" /setowner="" | |
} | |
function checkUser { | |
param ( | |
$Username, | |
$Recurse | |
) | |
$userpath = "$USER_PATH\" + $Username | |
$userpathFolder = New-Object PSObject | |
$userpathFolder | Add-Member NoteProperty "FullName" $userpath | |
$userFolders = @($userpathFolder) | |
if ($Recurse -eq "true") { | |
$userFolders += (Get-ChildItem -Directory -Path $userpath -Recurse) | |
} | |
$output = @() | |
ForEach ($folder in $userFolders) { | |
If ($folder -eq "") { | |
continue | |
} | |
$acl = Get-Acl -Path $folder.FullName | |
ForEach ($access in $acl.Access) { | |
$props = [ordered]@{ | |
'Folder Name'=$Folder.FullName; | |
'Group/User'=$access.IdentityReference; | |
'Permissions'=$access.FileSystemRights; | |
'Inherited'=$access.IsInherited | |
} | |
If ( | |
!$access.IsInherited -and | |
$access.IdentityReference -ne "$DOMAIN\$Username" -and | |
$access.IdentityReference -ne "BUILTIN\Administrators" -and | |
$access.IdentityReference -ne "NT AUTHORITY\SYSTEM" -and | |
$access.IdentityReference -ne "BUILTIN\Users" -and | |
$access.IdentityReference -ne "$DOMAIN\Administrator" -and | |
$access.IdentityReference -ne "$DOMAIN\Administrator2" -and | |
$access.IdentityReference -ne "IIS APPPOOL\.NET v4.5" -and | |
$access.IdentityReference -ne "IIS APPPOOL\.NET v4.5 Classic" -and | |
$access.IdentityReference -ne "S-1-15-3-4096" -and | |
$access.IdentityReference -ne "" | |
) { | |
$output += New-Object -TypeName PSObject -Property $props | |
} | |
} | |
} | |
return $output | |
} | |
$result = @() | |
$Domain = "" | |
$users = Get-ChildItem -Directory -Path "$USERS_PATH\" | |
ForEach ($user in $users) { | |
echo " - $user" | |
$result = checkUser -username $user.Name -Recurse $true | |
ForEach ($perm in $result) { | |
echo " " | |
echo "---" | |
echo "$($perm.'Group/User') has $($perm.Permissions) to $($perm.'Folder Name')" | |
$confirmation = Read-Host "Do you want to fix these permissions?:" | |
if ($confirmation -eq 'y') { | |
Remove-UserPermissions -FolderPath $perm.'Folder Name' -UserAccount $perm.'Group/User' | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment