32 lines
1.3 KiB
PowerShell
32 lines
1.3 KiB
PowerShell
# Fix homes share NTFS permissions using icacls
|
|
# Goal: remove BUILTIN\Users inherited read from all subfolders
|
|
# Allow Authenticated Users to create folders on the root only (not read siblings)
|
|
|
|
Write-Output "=== icacls fix for D:\Homes ==="
|
|
|
|
# Step 1: Remove BUILTIN\Users from root and all subfolders
|
|
$r1 = & icacls "D:\Homes" /remove "BUILTIN\Users" /T /C 2>&1
|
|
Write-Output "Remove BUILTIN\Users from root+children: $r1"
|
|
|
|
# Step 2: Grant Authenticated Users read+create-folder on root ONLY (no inheritance)
|
|
$r2 = & icacls "D:\Homes" /grant "Authenticated Users:(RD,AD)" 2>&1
|
|
Write-Output "Grant Authenticated Users root-only: $r2"
|
|
|
|
# Step 3: Disable inheritance on each subfolder and remove inherited BUILTIN\Users
|
|
Get-ChildItem "D:\Homes" -Directory -EA SilentlyContinue | ForEach-Object {
|
|
$p = $_.FullName
|
|
$n = $_.Name
|
|
# /inheritance:d = disable, keep existing ACEs
|
|
$r = & icacls $p /inheritance:d /C 2>&1
|
|
Write-Output " [$n] inheritance:d — $r"
|
|
}
|
|
|
|
Write-Output ""
|
|
Write-Output "=== Final ACL check ==="
|
|
& icacls "D:\Homes" 2>&1 | Write-Output
|
|
Write-Output "--- Subfolders ---"
|
|
Get-ChildItem "D:\Homes" -Directory -EA SilentlyContinue | ForEach-Object {
|
|
Write-Output " $($_.Name):"
|
|
& icacls $_.FullName 2>&1 | ForEach-Object { Write-Output " $_" }
|
|
}
|