Hello guys.

I heard Powershell can do better and powerfull things than a simple batch, ok, I need a script to remove the groups USERS and EVERYONE from any hard disks in all Windows Servers 2008 R2 in the whole AD.

Could you help me please with this?
I will apreciate it!

Thanks in advance!!

Hi,

You can check the script repository for a starting point:

http://gallery.technet.microsoft.com/scriptcenter

There's also good material here for getting your feet wet:

http://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx

For permissions, this module should be helpful:

https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83

Let us know if you have any specific questions.

Hi,

The task is obviously possible, but why do you want to do this? What are you trying to achieve? Having scripts running that affect your entire AD without basic PowerShell knowledge may not be the answer. How do you know this won't affect existing business applications?

Search for "orphaned sids"

Well this is a requisition from IT director, I have no idea why he want to do this but it is.

I don't want to do this server by server once at time. :(

The request sounds quite suspicious. Modifying security on files and directories without understanding the reason can lead to disaster.

For example, if you remove Users from the Program Files directory, then users can't run programs on that computer. Clearly you don't want that, do you?

The request is rather vague in the first place. Saying "someone told me to do this" is not a sufficient explanation. What problem is this fixing?

It is my guess that, since the OP clearly lacks training in AD and security that he/she is misunderstand9ng the request.

I was once asked a similar question as a result of recommendations from a liability insurance company.  They wanted all "Direct" user permissions removed in favor of well controlled and managed security groups.  They wanted this because their auditors could better report on access.  THe manager who delivered the request said "we have to remove ALL user access from these folders (programs,windows,etc).  THis really meant all "direct" user permissions.  Wee looked and did find a few servers where someone had added users with full control to folder in "program files"  WhY?  Don't know.  We removed them.

I scripted all of the probes with SubInAcl and a RegEx set that extracted all accounts then patched them to local and domain groups. 

Today we have many tools that will generate these reports. I recommend purchasing a tool that reports on who hass acces. Most allow an exception report that shows direct access accounts.

I think the question was misunderstanding: I need to remove groups USERS and EVERYONE in any hard disk in all Servers in the whole AD:

Right click in hard disk, properties- Security tab, and find Everyone and Users groups and remove it.

I think the question was misunderstanding: I need to remove groups USERS and EVERYONE in any hard disk in all Servers in the whole AD:

Right click in hard disk, properties- Security tab, and find Everyone and Users groups and remove it.

This statement makes absolutely no technical sense.

I recommend spending enough time with AD and the file system to learn the basic terminology.  Once you have correct terms your request might makes some sense.  As currently stated it makes no sense.

I would add, aside from the request being nonsensical, that this isn't a "write a script for me" forum.

This is particularly true when we strongly suspect that such a script would cripple any computer you run it on.