Очевидно, что /remove не влияет на унаследованные ACL:
C:\Windows\System32> pushd d:\bat\files2
d:\bat\files2> for /d %G in (*) do @icacls %G /T | findstr /I "folder \\Users"
folder BUILTIN\Administrators:(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
folder\xxx.csv BUILTIN\Administrators:(F)
BUILTIN\Users:(I)(RX)
d:\bat\files2> for /d %G in (*) do @icacls %G /remove Users /T
processed file: folder
processed file: folder\xxx.csv
Successfully processed 2 files; Failed processing 0 files
d:\bat\files2> for /d %G in (*) do @icacls %G /T | findstr /I "folder \\Users"
folder BUILTIN\Administrators:(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
folder\xxx.csv BUILTIN\Administrators:(F)
BUILTIN\Users:(I)(RX)
Нужно отключить наследование и сначала скопировать ACE:
d:\bat\files2> for /d %G in (*) do @(icacls %G /inheritance:d /T&&icacls %G /remove Users /T)
processed file: folder
processed file: folder\xxx.csv
Successfully processed 2 files; Failed processing 0 files
processed file: folder
processed file: folder\xxx.csv
Successfully processed 2 files; Failed processing 0 files
d:\bat\files2> for /d %G in (*) do @icacls %G /T | findstr /I "folder \\Users"
folder BUILTIN\Administrators:(F)
folder\xxx.csv BUILTIN\Administrators:(F)
Обратите внимание на использование оператора && в следующей однострочной
for /d %G in (*) do @(icacls %G /inheritance:d /T&&icacls %G /remove Users /T)
вместо
for /d %G in (*) do @icacls %G /inheritance:d /T
for /d %G in (*) do @icacls %G /remove Users /T
Пример применяется к следующей структуре файла:
d:\bat\files2> tree . /f
D:\BAT\FILES2
│ SampleInput.eml
│
└───folder
xxx.csv
