$domain = 'cascades.local'
$gpoName = 'CSC - Folder Redirection'
$gpoGuid = '{512B43A4-F049-4CE5-BFAC-860AD13E92BE}'

# Remove Authenticated Users directly from the GPO AD object ACL
$gpoADPath = "AD:CN=$gpoGuid,CN=Policies,CN=System,DC=$($domain.Replace('.',',DC='))"
try {
    $acl = Get-Acl $gpoADPath -EA Stop
    $au = [System.Security.Principal.NTAccount]'NT AUTHORITY\Authenticated Users'
    $removed = 0
    $acl.Access | Where-Object { $_.IdentityReference.Value -like '*Authenticated Users*' } | ForEach-Object {
        $acl.RemoveAccessRule($_) | Out-Null
        $removed++
    }
    if ($removed -gt 0) {
        Set-Acl -Path $gpoADPath -AclObject $acl -EA Stop
        Write-Output "[OK] Removed $removed ACE(s) for Authenticated Users from GPO AD object"
    } else {
        Write-Output "[INFO] Authenticated Users not found in ACL"
    }
} catch {
    Write-Output "[ERROR] ACL approach: $($_.Exception.Message)"
}

# Verify via Get-GPPermission
Write-Output ""
Write-Output "=== GPO Security Filter (final) ==="
Get-GPPermission -Name $gpoName -Domain $domain -All | ForEach-Object {
    Write-Output "  $($_.Trustee.Name) [$($_.Trustee.TrusteeType)] — $($_.Permission)"
}