I am working with a customer to do some cleanup of their process for setting NTFS permissions on DFS shares. Currently, many of their shared folders have orphaned SIDs when looking at the security tab. I thought something quick like this would clean it up:
$Path = "P:"
$aFolders = Get-ChildItem -Path $Path -Directory
foreach ($folder in $aFolders) {
$acl = Get-Acl -Path "$($Path)\$($folder.Name)"
foreach($acc in $acl.access ) {
$value = $acc.IdentityReference.Value
if($value -match "S-1-5-*") {
$ACL.RemoveAccessRule($acc) | Out-Null
Set-Acl -Path "$($Path)\$($folder.Name)" -AclObject $acl -ErrorAction Stop
Write-Host "Removed Orphans from $($Path)\$($folder.Name)"
}
}
}
But it does not remove any of them. If I pipe the Get-Acl line out to a grid-view, I see all of the ACLs except the S-1-5* orphans. Just curious why that would be, as I thought get-acl would show me everything. And has anyone else resolved this kind of issue in another way?
P.S. I also tried the NTFSSecurity module and get the same behavior, none of the orphans are shown