Skip to main content

How to Remove All Permissions for a Specific User on a File in Batch Script

When an employee changes roles or leaves an organization, securing sensitive files immediately is critical. Relying on clicking through the Windows GUI (Graphical User Interface) to remove a user from dozens of files is slow and prone to human error. Using a Batch script ensures the removal is instantaneous and thorough.

In this guide, we will explore how to completely strip a user's access to a specific file or folder using the icacls command. We will cover removing explicit permissions, handling inherited permissions, and applying explicit "Deny" rules.

Method 1: The /remove Switch (Explicit Permissions)

The most direct way to strip a user's rights from a file is using the icacls utility's /remove switch. This deletes any explicitly assigned permissions for that user on the target file.

Syntax

icacls "C:\Path\To\File.txt" /remove "Domain\Username"

Script Example

@echo off
setlocal

set "SENSITIVE_FILE=C:\Finance\Q4_Projections.xlsx"
set "USER_TO_REMOVE=JSmith"

if not exist "%SENSITIVE_FILE%" (
    echo [ERROR] File not found: %SENSITIVE_FILE%
    pause
    exit /b 1
)

echo Removing explicit permissions for %USER_TO_REMOVE% from %SENSITIVE_FILE%...

REM The /remove switch targets the user's specific ACL entry
icacls "%SENSITIVE_FILE%" /remove "%USER_TO_REMOVE%"

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Explicit permissions for %USER_TO_REMOVE% have been removed.
    echo NOTE: If the user inherits access via a group or parent folder,
    echo they may still be able to access the file.
) else (
    echo [ERROR] Failed to remove user. Ensure you run this as Administrator.
)

endlocal
pause

The Weakness of /remove (The Inheritance Problem)

If you run the script above and check the file's properties, you might find JSmith can still read the file! Why? Inheritance.

If JSmith belongs to the "FinanceGroup" (which has Read access to the folder), or if the folder itself grants "Everyone" Read access, JSmith inherits those rights. The /remove command only deletes JSmith if they were typed in individually on that specific file. It does not calculate group memberships, nor does it block inherited permissions.

Method 2: The Nuclear Option – Explicit Deny (/deny)

If you must guarantee mathematically that JSmith cannot access the file, regardless of what groups they belong to or what permissions trickle down from the parent folder, you must use an explicit Deny rule.

In Windows NTFS, an explicit Deny always overrides an explicit or inherited Allow.

Syntax

icacls "C:\Path\To\File.txt" /deny "Domain\Username:(F)"
  • /deny: Tells the system to explicitly block the specified right.
  • (F): Full Control. Denying Full Control implicitly denies Read, Write, Execute, and Modification. It is a total blackout.

Robust Script Example

This is exactly how you write a secure script to lock out a terminated employee or compromised account from a crucial file immediately.

@echo off
setlocal

set "TARGET_FILE=C:\SecureVault\Passwords.kdbx"
set "REVOKED_USER=DOMAIN\TerminatedEmployee"

if not exist "%TARGET_FILE%" (
    echo [ERROR] File not found: %TARGET_FILE%
    pause
    exit /b 1
)

echo Securing %TARGET_FILE%...
echo Applying absolute Deny rule for %REVOKED_USER%...

REM Step 1: Clean up any existing explicit Allow rules for this user first
icacls "%TARGET_FILE%" /remove "%REVOKED_USER%" >nul 2>nul

REM Step 2: Apply the Explicit Deny for Full Control
icacls "%TARGET_FILE%" /deny "%REVOKED_USER%:(F)"

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Deny rule applied successfully.
    echo.
    echo Current ACL entry for %REVOKED_USER%:
    icacls "%TARGET_FILE%" 2>nul | findstr /i "%REVOKED_USER%"
) else (
    echo [ERROR] Failed to apply Deny rule. Ensure you run this as Administrator.
)

echo.
echo Done.
endlocal
pause

Output:

Current ACL entry for DOMAIN\TerminatedEmployee:
C:\SecureVault\Passwords.kdbx DOMAIN\TerminatedEmployee:(N)
note

(N) stands for "None" or Access Denied.

Use Deny Sparingly

Explicit Deny rules are extremely powerful and notoriously difficult to troubleshoot later if you forget they exist (System Administrators often spend hours figuring out why an admin group can't open a file, only to discover a deeply buried Deny rule). Use them for emergencies, sensitive exceptions, or when inherited rules are too complex to untangle cleanly.

Method 3: Removing User Access from an Entire Folder Tree

If you need to remove a user from an entire project directory and all its files, combine the /remove switch with the /T (Traverse) switch.

@echo off
setlocal

set "PROJECT_DIR=D:\Projects\ProjectApollo"
set "USER_TO_BOOT=BJones"

if not exist "%PROJECT_DIR%\" (
    echo [ERROR] Directory not found: %PROJECT_DIR%
    pause
    exit /b 1
)

echo Removing %USER_TO_BOOT% from all files in %PROJECT_DIR%...

REM /T applies the removal to all nested files and subfolders
REM /C forces it to continue even if it hits Access Denied on one file
REM /Q runs quietly
icacls "%PROJECT_DIR%" /remove "%USER_TO_BOOT%" /T /C /Q

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Cleanup complete for %USER_TO_BOOT%.
) else (
    echo [WARNING] Cleanup finished, but some files may not have been processed.
    echo Run as Administrator and consider using takeown first for locked items.
)

endlocal
pause

Summary

Removing user access via batch script requires understanding precisely how the user is getting access in the first place.

  1. If they were granted explicit access to the file: Use icacls ... /remove "Username".
  2. If they are inheriting access from a group or parent folder and you want to lock them out immediately: Use the overriding power of icacls ... /deny "Username:(F)". Both commands provide powerful, scriptable security management when rapid response is required.

Table of Contents