# Ensure script runs as admin If (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Error "Please run this script as Administrator." exit } # Get current user's profile path $profile = [System.Environment]::GetFolderPath("UserProfile") $allowedFolders = @("Desktop", "Documents", "Downloads") # System folders to skip $skipPaths = @( "C:\", "C:\Windows", "C:\Program Files", "C:\Program Files (x86)", "C:\ProgramData", "C:\Users" ) # Get all drives $drives = Get-PSDrive -PSProvider FileSystem foreach ($drive in $drives) { $root = $drive.Root # Skip system drive and critical paths $skip = $false foreach ($path in $skipPaths) { if ($root -like "$path*") { $skip = $true break } } if ($skip) { continue } Write-Output "šŸ”’ Restricting write access to drive: $root" try { # Disable inheritance icacls $root /inheritance:r | Out-Null # Remove common user permissions icacls $root /remove:g "Users" "Authenticated Users" "Everyone" | Out-Null # Grant Read + Execute ONLY icacls $root /grant:r "Users:(OI)(CI)(RX)" | Out-Null # Take ownership of all files and reset permissions recursively icacls $root /setowner "Administrators" /T | Out-Null Write-Output "āœ… Permissions and ownership set on $root" } catch { Write-Warning "āš  Failed to update permissions on ${root}: $_" } } # Grant full access to user folders foreach ($folder in $allowedFolders) { $path = Join-Path $profile $folder if (-not (Test-Path $path)) { New-Item -ItemType Directory -Path $path | Out-Null } Write-Output "āœ… Allowing full access to: $path" try { icacls $path /grant:r "Users:(OI)(CI)F" | Out-Null Write-Output "āœ” Full access granted on $path" } catch { Write-Warning "āš  Failed to set permissions on ${path}: $_" } } Write-Host "`nāœ… Folder and drive permissions configured successfully."