Setting ACL Folder Permissions - Deny to System

Question

I've taken some working code i had in a previous script which alters the security permissions of folders using POSH, although, instead of allowing modify perms to an account, i now want to DENY, SYSTEM from accessing this folder. ({this is to turn off the horrible Windows10UpgraderApp.exe} from running during an MDT Task Sequence).

Here's my code that i thought would work:

New-Item -ItemType directory -Path C:\Windows10upgrade -force

$privuser = "system"
$Acl1 = Get-Acl "C:\Windows10Upgrade"
$Ar1 = New-Object system.security.accesscontrol.filesystemaccessrule("$privuser","deny")
$Acl1.SetAccessRule($Ar1)

This is the error i'm getting:

New-Object : Cannot find an overload for "FileSystemAccessRule" and the argument count: "2".
At line:3 char:8
+ $Ar1 = New-Object system.security.accesscontrol.filesystemaccessrule("$privuser" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

Bit lost on this one - this code works in a previously used script.

Thanks in advance

EDIT: After receiving the below advice (thanks) I now run this code:

New-Item -type directory -path C:\Windows10Upgrade -force
$Acl = Get-Acl "C:\Windows10Upgrade"
$Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("System","FullControl","Deny")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\Windows10Upgrade" $Acl

I know it can be deceptive as the Special permissions box is ticked when you make changes this way but, this doesn't throw an error, but the permissions look the same for system, like it has unfortunately NOT successfully applied the change to the Access Rule.

2nd EDIT: Something seems to have taken place, but now there are multiple permission entries for SYSTEM, the desired ACL rule is at the top for SYSTEM, yet, full control is still assigned below:

PS C:\WINDOWS\system32> get-acl -Path C:\Windows10upgrade | select *


PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\Windows10upgrade
PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\
PSChildName             : Windows10upgrade
PSDrive                 : C
PSProvider              : Microsoft.PowerShell.Core\FileSystem
CentralAccessPolicyId   : 
CentralAccessPolicyName : 
AccessToString          : NT AUTHORITY\SYSTEM Deny  FullControl
                          BUILTIN\Administrators Allow  FullControl
                          BUILTIN\Administrators Allow  268435456
                          NT AUTHORITY\SYSTEM Allow  FullControl
                          NT AUTHORITY\SYSTEM Allow  268435456
                          BUILTIN\Users Allow  ReadAndExecute, Synchronize
                          NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize
                          NT AUTHORITY\Authenticated Users Allow  -536805376
AuditToString           : 
Path                    : Microsoft.PowerShell.Core\FileSystem::C:\Windows10upgrade
Owner                   : BUILTIN\Administrators
Group                   : COMPANY\Roles - Technical Services
Access                  : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, 
                          System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule...}
Sddl                    : O:BAG:S-1-5-21-2593231249-3506496172-1181922232-40387D:AI(D;;FA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OI
                          CIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
AccessRightType         : System.Security.AccessControl.FileSystemRights
AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule
AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected : False
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True

Answer 1

The solution is in the error message. Referencing the documentation, a minimum of 3 arguments is required. That's for this constructor:

public FileSystemAccessRule(
    string identity,
    FileSystemRights fileSystemRights,
    AccessControlType type
)

It looks like you're missing the middle argument, FileSystemRights as you've specified the user as "system" and AccessControlType to be deny... but not which permissions to deny.

---

Edit

Right click on the folder, and go to Properties > Security > Advanced. You should see a screen similar to the below.

Blue highlighted row is the one added by the script. Yellow highlighted row is inherited, so it's not set on the folder but on the whole drive. For me, this is why there were multiple permission lines.

This isn't really an issue as Deny trumps Allow. To confirm, you can set Deny permissions to your user or the Admin group as above and try to access the folder.

If the permission is not inherited, but is instead applied to the folder, you will need to make use of the RemoveAccessRule method in a similar way to how SetAccessRule is used:

$remove = New-Object  system.security.accesscontrol.filesystemaccessrule("System","FullControl","Allow")
$Acl.RemoveAccessRule($remove)