NTFSSecurity: Remove-NTFSAccess cannot remove an ACE with the GenericAll AccessRights

Following up on my previous comment, I found another directory with a similar ACE.

This time I tried Giving myself GenericalAll via Add-NTFSAccess. What I found was that instead of AccessRights “GenericAll”, I had received Access Rights “Synchronize, GenericAll”, Further I found that I could remove those rights with remove-ntfsaccess So I though, “what if I try giving the user with GenericAll right, the same rights again?” Will they get that Synchronize right?

Add-NTFSAccess -Path H:\CAXX\HOME\anotheruser -Account Contoso\anotheruser -AccessRights GenericAll -AccessType Allow -AppliesTo SubfoldersAndFilesOnly

Well, lo and behold, they do!! They end up with

Contoso\anotheruser                     Synchronize... SubfoldersAndFilesOnly    Allow          False

And now you can easily remove that ACE

So I think we have a WORKAROUND

$Path = "T:\This\Dir"
$Account = "Contoso\ThatAccount"
$ACE = Get-NTFSAccess -Path $Path -Account $account

try {
    $ACE | Remove-NTFSAccess -ErrorAction Stop
}
catch {
    Add-NTFSAccess -Account $Account -Path $Path -AccessRights GenericAll -AccessType Allow -AppliesTo SubfoldersAndFilesOnly
    Get-NTFSAccess -Path $path -account $Account | Remove-NTFSAccess
}

EDIT: Yes, I realize that this could be an expensive operation depending on the number of files and folders in a directory tree. Let me know what you think!

Still broken.

It happens when I try to remove the Everyone ACE when it has these rights.

Account Access Rights Applies to Type IsInherited InheritedFrom

---

Everyone GenericAll SubfoldersAndFilesOnly Allow False

Late to the party but I ran into this with trying to remove invalid SIDS from Shares. Seems if the AccessRights are GenericAll this issue comes up.

Get-NTFSOrphanedAccess -Path $UserShare | Remove-NTFSAccess