Announcement

Collapse
No announcement yet.

Assigning simple permissions with icacls

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Assigning simple permissions with icacls

    I'm having a small problem with icacls..

    I do a /grant user:F on a folder or on files, and icalcs reports the changes to be fine.

    However, if I check the permissions using Explorer, I see that my user only has special permissions. Then I go check in the special permissions to see that the special permission assigned to my user is "Full Control".

    Anyone with a bit more icacls experience than me could help me out?

    Thanks
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

  • #2
    Re: Assigning simple permissions with icacls

    The "F" has been granted "On this folder only" - that's why it shows as "Special Permissions". You need to find a way to apply it to "This folder, all subfolders and files".

    I don't have icacls on my PC here; post the result of ICACLS /? and we'll see if there's an option to propagate the permissions down.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Assigning simple permissions with icacls

      Yeah I just figured that as well. I think /T is the command - but I'm setting up a new VM with 2003 sp2 so I can do some more playing with it - I don't run Vista on my laptop.

      Thanks.
      VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

      Comment


      • #4
        Re: Assigning simple permissions with icacls

        Here is the usage..

        For everyone's information, the proper way to assign a simple permission to a folder, subfolder and files in icacls is by doing

        Code:
        icacls path /grant domain\user:(OI)(CI)F
        This grants my user Full control on the folder with Object and container inherit. Hope this will be useful to someone. See below for full usage.

        I may add that this tool looks much less buggy than xcacls.exe and much faster than xcacls.vbs.

        icacls usage:





        Code:
        Icacls
        Updated: September 28, 2007
        Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories. 
        
        For examples of how to use this command, see Examples.
        
        Syntax
        icacls <FileName> [/grant[:r] <Sid>:<Perm>[...]] [/deny <Sid>:<Perm>[...]] [/remove[:g|:d]] <Sid>[...]] [/t] [/c] [/l] [/q] [/setintegritylevel <Level>:<Policy>[...]]
        icacls <Directory> [/substitute <SidOld> <SidNew> [...]] [/restore <ACLfile> [/c] [/l] [/q]]
        Parameters
        Parameter Description 
        <FileName>
         Specifies the file for which to display DACLs.
         
        <Directory>
         Specifies the directory for which to display DACLs.
         
        /t 
         Performs the operation on all specified files in the current directory and its subdirectories.
         
        /c 
         Continues the operation despite any file errors. Error messages will still be displayed.
         
        /l
         Performs the operation on a symbolic link versus its destination.
         
        /q
         Suppresses success messages.
         
        [/save <ACLfile> [/t] [/c] [/l] [/q]]
         Stores DACLs for all matching files into ACLfile for later use with /restore.
         
        [/setowner <Username> [/t] [/c] [/l] [/q]]
         Changes the owner of all matching files to the specified user.
         
        [/findSID <Sid> [/t] [/c] [/l] [/q]]
         Finds all matching files that contain a DACL explicitly mentioning the specified security identifier (SID).
         
        [/verify [/t] [/c] [/l] [/q]]
         Finds all files with ACLs that are not canonical or have lengths inconsistent with ACE (access control entry) counts.
         
        [/reset [/t] [/c] [/l] [/q]]
         Replaces ACLs with default inherited ACLs for all matching files.
         
        [/grant[:r] <Sid>:<Perm>[...]]
         Grants specified user access rights. Permissions replace previously granted explicit permissions.
        
        Without :r, permissions are added to any previously granted explicit permissions.
         
        [/deny <Sid>:<Perm>[...]]
         Explicitly denies specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.
         
        [/remove[:g|:d]] <Sid>[...]] [/t] [/c] [/l] [/q]
         Removes all occurrences of the specified SID from the DACL. 
        
        :g removes all occurrences of granted rights to the specified SID. 
        
        :d removes all occurrences of denied rights to the specified SID.
         
        [/setintegritylevel [(CI)(OI)]<Level>:<Policy>[...]]
         Explicitly adds an integrity ACE to all matching files. Level is specified as:
        
         L[ow]
         
         M[edium]
         
         H[igh]
         
        
        Inheritance options for the integrity ACE may precede the level and are applied only to directories.
         
        [/substitute <SidOld> <SidNew> [...]]
         Replaces an existing SID (SidOld) with a new SID (SidNew). Requires the Directory parameter.
         
        /restore <ACLfile> [/c] [/l] [/q]
         Applies stored DACLs from ACLfile to files in the specified directory. Requires the Directory parameter.
         
        
        Remarks
         SIDs may be in either numerical or friendly name form. If you use a numerical form, affix the wildcard character * to the beginning of the SID.
         
         icacls preserves the canonical order of ACE entries as:
        
         Explicit denials
         
         Explicit grants
         
         Inherited denials
         
         Inherited grants
         
         
         Perm is a permission mask that can be specified in one of the following forms:
        
         A sequence of simple rights:
        
        F (full access)
        
        M (modify access)
        
        RX (read and execute access)
        
        R (read-only access)
        
        W (write-only access)
         
         A comma-separated list in parenthesis of specific rights:
        
        D (delete)
        
        RC (read control)
        
        WDAC (write DAC)
        
        WO (write owner)
        
        S (synchronize)
        
        AS (access system security)
        
        MA (maximum allowed)
        
        GR (generic read)
        
        GW (generic write)
        
        GE (generic execute)
        
        GA (generic all)
        
        RD (read data/list directory)
        
        WD (write data/add file)
        
        AD (append data/add subdirectory)
        
        REA (read extended attributes)
        
        WEA (write extended attributes)
        
        X (execute/traverse)
        
        DC (delete child)
        
        RA (read attributes)
        
        WA (write attributes)
         
         
         Inheritance rights may precede either Perm form, and they are applied only to directories:
        
        (OI): object inherit
        
        (CI): container inherit
        
        (IO): inherit only
        
        (NP): do not propagate inherit
         
        
        Examples
        To save the DACLs for all files in the C:\Windows directory and its subdirectories to the ACLFile file, type:
        
        icacls c:\windows\* /save aclfile /t
        To restore the DACLs for every file within ACLFile that exists in the C:\Windows directory and its subdirectories, type:
        
        icacls c:\windows\ /restore aclfile
        To grant the user User1 Delete and Write DAC permissions to a file named "Test1", type:
        
        icacls test1 /grant User1:(d,wdac)
        To grant the user defined by SID S-1-1-0 Delete and Write DAC permissions to a file, named "Test2", type:
        
        icacls test2 /grant *S-1-1-0:(d,wdac)
        Additional references
        Command-Line Syntax Key
        
        Top of page
        
        
        
        Was this information helpful?
         
                  
        
        Would you like to provide additional feedback?
         
        
        Characters remaining: 850
         
        Step 2 of 2
        
                       
        
        Please help us improve by providing more feedback.
         
         
        Information Is Wrong 
        Needs More Information 
        Not What I Expected 
        Other 
            
        
        Characters remaining: 850
         
        Step 2 of 2
        
                       
        
        Please help us improve by providing more feedback.
         
         
        Information Is Wrong 
        Needs More Information 
        Not What I Expected 
        Other 
            
        
        Characters remaining: 850
         
        Step 2 of 2
        
                       
        
        Thank you for your feedback!
        
        
        
        Page OptionsComments
        
        
        
        
        
        
        
        
        
        Printer-Friendly Version Email this page Add to Favorites 
         
         
        
        
         Printer-Friendly Version Send This Page Add to Favorites
        Manage Your Profile |Contact Us |Newsletter
         2008 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement
        Last edited by gepeto; 16th April 2008, 15:08.
        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

        Comment


        • #5
          Re: Assigning simple permissions with icacls

          Have you tried a tool called "FILEACL"? It's apparently the definitive command-line tool for doing this stuff...


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: Assigning simple permissions with icacls

            No I have not. I will be testing icacls and if it doesn't perform as I want it to I will give FileACL a try.

            iCacls looks good for now though, very flexible.
            VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

            Comment


            • #7
              Re: Assigning simple permissions with icacls

              cacls <FOLDER location> /e /t /g "Domain Admins":F

              This does the trick for me and i am using cacls for a lot of script wich i created for some customers. Could you try this and let me know if it works or not?

              Comment

              Working...
              X