Found a solution here: http://voices.canonical.com/tag/windows/
I had to tweak it a bit, but it's working. Whew!
def remove_ace(path,usernames):
"""Remove the ace for the given users."""
if not os.path.exists(path):
raise WindowsError('Path %s could not be found.' % path)
total = 0
for x in usernames:
userx, domain, utype = win32security.LookupAccountName("", x)
sd = win32security.GetFileSecurity(path, win32security.DACL_SECURITY_INFORMATION)
dacl = sd.GetSecurityDescriptorDacl()
num_delete = 0
for index in range(0, dacl.GetAceCount()):
ace = dacl.GetAce(index - num_delete)
if userx == ace[2]:
dacl.DeleteAce(index - num_delete)
num_delete += 1
total += 1
if num_delete > 0:
sd.SetSecurityDescriptorDacl(1, dacl, 0)
win32security.SetFileSecurity(path, win32security.DACL_SECURITY_INFORMATION, sd)
if total > 0:
return True