Here's a simple powershell script to remove NTFS permissions on a set of folders from a given root. Uses a list of users from a specific OU, but can quickly be edited for a single username. Any question about actual changes run without the set verbs. Always know what your running and use carefully! Simple logged output incase needed. See the highlighted portions for changing.

#######################################################################

################### Variables #########################################

#######################################################################

$RootPath = "\\WHAT.FOLDER.TO\CLEANUP" 

$OU = "OU=YOUROU,DC=DOMAIN,DC=DOMAIN" ## who to revoke 

#######################################################################

### Note: Its assumed Group Membership secure access will be removed ## 

### by separate term process ##########################################

#######################################################################

$date = Get-Date -format o

$date = $date -replace('/','--')

$date = $date -replace(':','-')

import-module activedirectory

$filename = -join("$date","___RevokeFolderPermsLog.csv")

$termlog = "\\YOUR.FILE.SHARE\Terms\FolderPermissionRevocation\$filename" 

$blk = ".",".",".","."

[System.Collections.ArrayList]$emaillog = $blk

$br="<br>"

$emaillog.add("$br")

$emaillog.add("$br")

$found = $false

Write-Progress -activity "Getting users in: $OU"

Write-Host "Getting users in: $OU"

$users = Get-ADUser -SearchBase $OU -Filter * -properties * 

#$users

Write-Progress -activity "Pre-load subfolders..."

Write-Host "Pre-Load subfolders..."

$SubFolders = Get-ChildItem -path $RootPath -recurse -ev err -ea SilentlyContinue| ? {$_.psIscontainer -eq $true}

foreach ($client in $users)

{

$username = $client.SamAccountName

$ms = ''

$TermACLAccess=''

$TermACL=''

$AccessRule = ''

$i = 1

$j = 0

$RootFolder = Get-Item $RootPath

Write-Progress -activity "Startling trawl of: $RootFolder"

Write-Host -activity "Startling trawl of: $RootFolder"

$idref = -join("YOURNETBIOSNAME\","$Username")

$TermACLAccess = ($RootFolder | Get-Acl).Access | Where {$_.IdentityReference -eq $idref} | Add-Member -MemberType NoteProperty -Name "Path" -Value $($RootFolder.fullname).ToString() -PassThru

if ($TermACLAccess.IdentityReference -eq $idref)

{

    #$TermACLAccess

    $TermACL = Get-Acl $TermACLAccess.path

    #$TermACL

    $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `

    ($TermACLAccess.identityreference, $TermACLAccess.FileSystemRights, $TermACLAccess.InheritanceFlags, $TermACLAccess.PropagationFlags, $TermACLAccess.AccessControlType) 

    #$AccessRule

    $TermACL.RemoveAccessRuleAll($AccessRule)

    Set-Acl -Path $TermACLAccess.path -AclObject $TermACL

    $MS = -join("Wiped: ","$username"," from RootFolder:","$RootFolder")

    $MS | out-file $termlog -Append 

    $emaillog.add("$MS")  

    $emaillog.add("$br")

    Write-Progress -activity "Wiped $Username from RootFolder: $RootFolder"

    Write-Host "Wiped $Username from RootFolder: $RootFolder"

    $found = $true

}

#$SubFolders

    if ($SubFolders -eq $null) {break}

        foreach ($SubFolder in $SubFolders)

        {

        $i++  

        $TermACLAccess=''

        $TermACL=''

        $AccessRule = ''

        $TermACLAccess = ($SubFolder | Get-Acl).Access | Where {$_.IdentityReference -eq $idref -and $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($SubFolder.fullname).ToString() -PassThru

        #$TermACLAccess

        Write-Progress -activity "Checking for: $username in: $subfolder... " -status "Cleared: $i of $($SubFolders.Count) folders... Located: $j instances." -percentComplete (($i / $SubFolders.Count)  * 100)

            if ($TermACLAccess.IdentityReference -eq $idref)

            {

            $j++

            $TermACL = Get-Acl $TermACLAccess.path

            #$TermACL

            $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `

            ($TermACLAccess.identityreference, $TermACLAccess.FileSystemRights, $TermACLAccess.InheritanceFlags, $TermACLAccess.PropagationFlags, $TermACLAccess.AccessControlType) 

            #$AccessRule

            $TermACL.RemoveAccessRuleAll($AccessRule)

            Set-Acl -Path $TermACLAccess.path -AclObject $TermACL

            $Pathy = $TermACLAccess.path

            Write-Progress -activity "Wiped $Username from SubFolder: $Pathy"

            Write-Host "Wiped $Username from SubFolder: $Pathy"

            $MS = -join("Wiped: ","$username"," from SubFolder:","$Pathy")

            $MS | out-file $termlog -Append 

            $emaillog.add("$MS")  

            $emaillog.add("$br")

            $found = $true

            }

        } 

}

if ($found = $true)

{

send-mailmessage -from "FolderRevocationReport@DOMAIN.DOMAIN" -to "SERVER@ADMINS.DOMAIN" -subject "Folder Permission Revocation Log" -body "The following actions have been taken and logged.<br> Log: '$termlog'  <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer YOUR.SMTP.RELAY

}