Hi to all. I have some powershell scripts that do the following:
1) Create Active Directory Security Groups
2) Create folders on drive with nested sub folders
3) Remove inheritance on one of the sub folders created
4) Apply Full Control to Domain Admins on sub folder.
5) Apply Full Control to Active Directory Security Groups on sub folder
6) Removes BUILTIN\Users on sub folder
Remove BUILTIN\Users script example
$acl = Get-Acl "E:\Data\MyDirectory\sub_directory"
$acl.Access | where {$_.IdentityReference -eq "BUILTIN\Users"} | foreach { $acl.RemoveAccessRuleSpecific($_) }
Set-Acl "E:\Data\MyDirectory\sub_directory" $acl
ISSUE
After removing BUILTIN\Users I am unable to access the folder. If I RDP to the server and attempt to access the folder I receive message:
"You must have Read permissions to view the properties of this object. Click Advanced to continue"
If I click advanced my current logged in credentials are added to the list of NTFS permissions (user_name@domain.com). I and members of AD groups listed on the security tab can then access the directory.
I can then see Domain\Admins, Local\Administrators, Domain\Security Groups (of which I am a member) are all listed on the Security tab with Modify permissions.
I tried adding fix:
DWORD LocalAccountTokenFilterPolicy to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System with the value of 1
So after removing 'BUILTIN\Users' domain users (and admins) that are members of active directory security groups listed on NTFS Security tab with 'Full Control' to the folder receive 'Access Denied' when browsing to the folder on the network.
I would appreciate some help on this one as its left me scratching my head.
Any thoughts as to why removing BUILTIN\Users breaks access when other credentials should permit access (i.e. BUILTIN\Administrators, DOMAIN\Admins).
Kind Regards,
Phil.