Set-ACL - script runs, fails to apply changes, but no errors


I am looking to remove the NTFS audit settings for millions of files. I created the following script and started testing. It all looked promising until I tested against one of the paths and found that it didn’t work, nor did it produce an error.

$PathList = Get-Content C:\script\pathlist.txt

foreach ($Path in $PathList)
  $acl = Get-Acl $Path -Audit
   $acl.GetAuditRules | Foreach-Object $acl.RemoveAuditRuleAll
  Set-Acl $Path $acl

I’ve cross checked the working paths to the one that doesn’t work and the permissions/inheritance seem identical. The folders where the audit script has worked do not allow the local\admin group access, same as the problem folder. I tried a second script which takes ownership and adds local\admin with full control to the problem folder, then re-ran the audit script and it still doesn’t work. After running the permissions script to add local\admin, I can manually remove the audit settings.

Any ideas please?

As an aside, how does get/set-acl work when I don’t have permissions to read/edit the folders/files?

Thanks in advance

This here is wrong

| Foreach-Object $acl.RemoveAuditRuleAll

when you use the Foreach-Object cmdlet, the variable in the loop is $_

Also, the removeauditrule is a method that takes a parameter. I think what you’re looking for is

| Foreach-Object {$acl.RemoveAuditRuleAll($_)}

Thanks krzydog, my attempt at the script seems to work as-is without your enhancements, but on one of my test samples it doesn’t. I’m trying to work out why that might be.

I did however make your suggested change in the script and it failed until I added [System.Security.Principal.SecurityIdentifier]

$acl.GetAuditRules($True, $False, [System.Security.Principal.SecurityIdentifier]) | Foreach-Object { $acl.RemoveAuditRule($_); }

However, it still doesn’t remove the SACL from the path - I still have the same problem.

Thanks again

Inheritance! Grrrrrrrrr

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.