To remove permissions, use the RemoveAccessRule parameter. Let’s delete the “Allow FullControl” permission for T.Simpson to the “Sales” folder:
$acl = Get-Acl \\fs1\shared\sales
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("ENTERPRISE\T.Simpson","FullControl","Allow")
$acl.RemoveAccessRule($AccessRule)
$acl | Set-Acl \\fs1\shared\sales
Note that RemoveAccessRule deletes only specific permissions. To completely wipe T.Simpson’s permissions to the “Sales” folder, use the PurgeAccessRules command:
$acl = Get-Acl \\fs1\shared\sales
$usersid = New-Object System.Security.Principal.Ntaccount ("ENTERPRISE\T.Simpson")
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl \\fs1\shared\sales
Note that PurgeAccessRules doesn’t work with a string user name; it works only with SIDs. Therefore, we used the “Ntaccount” class to convert the user account name from a string into a SID. Also note that PurgeAccessRules works only with explicit permissions; it does not purge inherited ones.