Script repository

Disallow users to change permissions on their home folders

Updated on: Jan 18, 2026, Views: 3028

Folders and profiles

The script updated the permissions on the user home folder so that they cannot change the permissions. To execute the script, create a business rule, custom command or scheduled task configured for the User object type.

try
{
    $homeFolder = $Context.TargetObject.Get("homeDirectory")
}
catch
{
    $Context.LogMessage("The user does not have a home directory.", "Warning") # TODO: modify me
    return
}

# Get the user SID.
$userSidBinary = $Context.TargetObject.Get("objectSid")
$userSid = New-Object System.Security.Principal.SecurityIdentifier($userSidBinary, 0)

# Deny the permission to change security for the home folder.
$homeFolderACL = Get-Acl $homeFolder
$acl = New-Object System.Security.AccessControl.FileSystemAccessRule($userSid,"ChangePermissions","ContainerInherit,ObjectInherit","None","Deny")
$homeFolderACL.AddAccessRule($acl)

Set-Acl -path $homeFolder $homeFolderACL

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.