Powershell to remove/delete a permission on an AD OU

Hi,
I am trying to create a powershell script that will delete any “deny” permissions for Everyone on a OU and having an issue. I was trying to do something like this:

#Powershell Script to delete "Deny" Everyone permissions on OU

#Set AD as the location

Set-Location ad:

#Set these variables

$DN = "CN=test_OU,DC=testdomain,DC=local"

$user = "Everyone"

#Collect the current ACL

$Acl = (GEt-ACL -Path "AD:$DN").Access | where-object {$_.AccessControlType -eq "Deny"}

#Loop each access permission in the ACL

foreach ($access in $acl.Access) {
        if ($access.IdentityReference.Value -eq $user) {
        $acl.RemoveAccessRule($access)
        } 
}

When I run this I don’t get any errors but the permission does not get removed. Thanks in advance.

If it’s not just a copy and paste error here in the forum … I’d recommend to use VSCode for your script development. It will point you to variables defined but never used.

You define a variable $DistinguishedName but it seems like you’re using $DN

Sorry, I actually typed out the code myself. In my forum window it is showing as code. The $DistinguishedName is just a typo when I recreated the code for the forum. The code uses $DN for the Distingushed name variable everyone in my actual code. I corrected in the forum window.

Hmmm … try this:

Set-Location AD:
$DN = 'CN=test_OU,DC=testdomain,DC=local'
$user = 'Everyone'

$Acl = Get-Acl -Path "AD:$DN"
$AclAccess = 
    $Acl.Access | 
        Where-Object -Property AccessControlType -EQ -Value 'Deny'

foreach ($access in $AclAccess) {
    if ($access.IdentityReference.value -eq $user) {
        $acl.RemoveAccessRule($access)
    }
}

Now you should inspect the ACL you just modified if it’s the way you want. If you’re satisfied you have to write the changed ACL to the AD OU.

Set-Acl -Path "AD:$DN" -AclObject $Acl