Forum Discussion
Is it possible to disable search location in file explorer voa intune
So I have found a script that works if I specify the user however how would I do this if for each user which tries to delete it (standard users)? # Define the folder path
$folderPath = "C:\Users\Username\appdata\Local\Microsoft\Edge\User Data\Default\Extensions\dlcaglefdlidioooijnigjhfcndlncfp"
# Define the account for which you want to deny permissions
$account = "AzureAD\Username"
# Get the current ACL
$acl = Get-Acl -Path $folderPath
# Create a rule to deny deletion and deletion of subfolders
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($account, "Delete, DeleteSubdirectoriesAndFiles", "Deny")
# Add the rule to the ACL
$acl.AddAccessRule($rule)
# Apply the modified ACL to the folder
Set-Acl -Path $folderPath -AclObject $acl
ABill1 This should do all folders in c:\users:
foreach ($folder in Get-ChildItem -Path c:\users -Directory) { $folderPath = "C:\Users\$($folder.Name)\appdata\Local\Microsoft\Edge\User Data\Default\Extensions\dlcaglefdlidioooijnigjhfcndlncfp" # Define the account for which you want to deny permissions $account = "AzureAD\A SPECIFIC USERNAME" # Get the current ACL $acl = Get-Acl -Path $folderPath # Create a rule to deny deletion and deletion of subfolders $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($account, "Delete, DeleteSubdirectoriesAndFiles", "Deny") # Add the rule to the ACL $acl.AddAccessRule($rule) # Apply the modified ACL to the folder Set-Acl -Path $folderPath -AclObject $acl }(No checks if the folder exists and not tested)
But... Like I asked before, a few comments back... Why do you NEED the plugin for secure internet access, and why can people browse the internet without it?! Could they use another browser, too? You have to setup your firewall so the content blocking is done there... That would be better.
- With this script I can set it per user however not for all users on the machine and it sets permission for the folder: dlcaglefdlidioooijnigjhfcndlncfp with
$folderPath = "C:\Users\A SPECIFIC USERNAME\appdata\Local\Microsoft\Edge\User Data\Default\Extensions\dlcaglefdlidioooijnigjhfcndlncfp"
# Define the account for which you want to deny permissions
$account = "AzureAD\A SPECIFIC USERNAME"
# Get the current ACL
$acl = Get-Acl -Path $folderPath
# Create a rule to deny deletion and deletion of subfolders
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($account, "Delete, DeleteSubdirectoriesAndFiles", "Deny")
# Add the rule to the ACL
$acl.AddAccessRule($rule)
# Apply the modified ACL to the folder
Set-Acl -Path $folderPath -AclObject $acl
I also cant get it to set this policy to sub folders as these can still be deleted. Any ideas? - Now, you can use a script that sets the correct permissions on the folder for the Users group.
- Hi Harm,
I have managed to use Account protection to get the SID of a group in Users group on the machine. So now need a script that reads the sid to set the permissions? - I just referenced that post because it showed you ("In the Get the SID of an Azure Active Directory group" section) how to retrieve the SID. The SID of the group is known for an Azure AD joined machine. It will translate it to the group with no problem.
- Yes however the SID of that group needs to be on the device which isnt the case as this policy https://www.inthecloud247.com/add-an-azure-ad-group-to-the-local-administrators-group-with-microsoft-intune/ didnt work? Or will this work without doing this policy?
- In one of your previous comments, you mentioned this:
# Define the folder path
$folderPath = "C:\Users\Username\appdata\Local\Microsoft\Edge\User Data\Default\Extensions\dlcaglefdlidioooijnigjhfcndlncfp"
# Define the account for which you want to deny permissions
$account = "AzureAD\Username"
# Get the current ACL
$acl = Get-Acl -Path $folderPath
# Create a rule to deny deletion and deletion of subfolders
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($account, "Delete, DeleteSubdirectoriesAndFiles", "Deny")
# Add the rule to the ACL
$acl.AddAccessRule($rule)
# Apply the modified ACL to the folder
Set-Acl -Path $folderPath -AclObject $acl
Change $account = "AzureAD\Username" to $account = "AzureAD\SID" where SID is the SID of the Liam C security group. So it failed! Any ideas why.
I found the SID
<groupmembership>
<accessgroup desc = "Users">
<member name = "Liam C" />
<member name = "I entered my sid here" />
</accessgroup>
</groupmembership>Users Is the local group
Liam C is the azure ad security group
I have added the users I need this to affect into the liam c security group
I then set this policy to deploy to the device where the user who is in the liam c group logs on too.
Is this correct? How do I identify why this isnt working
Replace $account = "AzureAD\Username" with the SID of the group. Here's a blog that explains you how to get it: https://www.inthecloud247.com/add-an-azure-ad-group-to-the-local-administrators-group-with-microsoft-intune/. So, that would be $account = "AzureAD\S-1-12-1-2934938113-1096209395-2588194479-17890638" for example.
- all users who sign in will be azure ad - what woud I need to change in script
- If the users are already part of an Azure AD Group, then you can use that one
- So users group? Or do I need to create a new group aswel?
- Perhaps you could use a group instead of a user account? Just use a group of which the users are members and use the SID of the group instead of username
