I´m working on a powershell script that should among others delete privileges of a given network share.
I use:
$folder = "Path\To\Folder\on\Share"
$acl = Get-ACL -Path $Folder
#Remove inheritance but copy ACE
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $folder -AclObject $acl
$acl = Get-ACL -Path $Folder
$accessrule = New-Object system.security.AccessControl.FileSystemAccessRule("VORDEFINIERT\Benutzer","Read",,,"Allow")
$acl.RemoveAccessRuleAll($accessrule)
Set-Acl -Path $folder -AclObject $acl
This should delete inheritence while preserving the existing privileges and then delete all rights of "BUILTIN\Users"
.
Unfortunately my systems language is german so writing "BUILTIN\Users"
or "<OUR DOMAIN>\Users"
does not work as it translates the output of Get-ACL automaticly and I have to write the German translation "VORDEFINIERT\Benutzer"
.
This is very unpleasent as the script should run on serveral systems with different OS languages and I would have to write one rule for every language.
Question How can I force powershell to output in English? Is there a better way ?
Use the Security Identifier of the builtin groups instead (always the same):
$BuiltinUsersSID = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-545'
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $BuiltinUsersSid,"Read","Allow"
As shown by Martin Brandl you can use WMI to find user or group accounts based on SID, but you can also translate a SecurityIdentifier
object to an account like so if you want the localized name:
PS> $BuiltinUsersSID = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-545'
PS> $BuiltinUsersGroup = $BuiltinUsersSID.Translate([System.Security.Principal.NTAccount])
PS> $BuiltinUsersGroup.Value # This would output VORDEFINIERT\Benutzer on a system with german locale
BUILTIN\Users