CACLS help

Haroon · 2010-01-19 09:14:11

how do i set folder permissions using cacls to these settings

Creator Owner, Full Control (subfolders and files only)
Users, traverse folder, create files, create folders (this folder and sub folders)

i can do full control, read, write, now, easily for files and folders, but i dont understand the rest of the more advanced permission settings and how to script them using cacls

thanks

Chimaera · 2010-01-19 13:08:27

There is some detail here

http://ss64.com/nt/cacls.html

have you considered the more recent icalcs which i believe is more configurable

http://ss64.com/nt/icacls.html

Haroon · 2010-01-19 13:17:14

does it require any installation like xcacls does?

Haroon · 2010-01-19 13:22:53

I have been studying the cacls info page, and all i see is the inherited folder permissions which look to be what im looking for but i have no idea how to implement them.
this is what i have done for the admin which gets full control of the folder
CACLS "C:\Windows\TEMP" /T /E /R Administrators
CACLS "C:\Windows\TEMP" /T /E /R Administrators:F

that works fine, but now if i wanted to give CREATOR OWNER full control (subfolders and files only) what else would i add. thats where i am getting stuck.

thanks

Haroon · 2010-01-19 14:08:50

quick correction in the second like of that code i posted, should be a /G not /R

CACLS "C:\Windows\TEMP" /T /E /R Administrators
CACLS "C:\Windows\TEMP" /T /E /G Administrators:F

Haroon · 2010-01-26 11:19:27

Can someone check this? i saw this written out somewhere, but i couldnt verify that the syntax is correct
im trying to get the creator/owner full control (subfolders and files only).

CACLS "C:\Windows\TEMP" /T /E /G CREATOR OWNER:(OI)(CI)(IO)F

i get an error sayings its an invalid arguement. im having trouble figuring out how to use the inherited folder permissions

thanks

Last edited by Haroon (2010-01-26 14:03:20)

Haroon · 2010-02-09 15:24:14

what is the difference between /R (revoke) and /D (Deny) ?

Drewfus · 2010-02-12 22:14:01

Firstly, don't use cacls. It's deprecated and probably buggy.

For the specific perms you want, use icacls on Vista/7 (built in), or use subinacl on XP (download).

If your running Vista or 7, try these command and let me know...

> icacls "c:\windows\temp" /T /reset
> icacls "c:\windows\temp" /T /grant "creator owner":(OI)(CI)(IO)F
> icacls "c:\windows\temp" /T /grant "users":(WD,AD)

/T traverses files and folders under specified folder (c:\windows\temp) to apply perms on already existing files/folders.
This switch wouldn't be required if c:\windows\temp was empty.

First command will replace all ACLs with default inherited ACLs. That is, it cleans up whatever mess you've already made. :-)

Second command grants 'creator owner' Full control on subfolders and files only (not 'this folder').

(OI) = Object Inherit (refers to files)
(CI) = Container Inherit (refers to folders)
(IO) = Inherit Only (subfolders and files only. Not this folder)

Third command grants users:

WD = write data/add file
AD = append data/add subdirectory

General note Please state operating system version when asking questions.

Drewfus · 2010-02-12 22:50:46

@Haroon "what is the difference between /R (revoke) and /D (Deny) ?"

Example command:

> icacls %windir%\temp

Produces this output...

Access Control List (ACL)

c:\windows\temp ATHLON64\Haroon:(WD,AD) <-- Access Control Entry 1
BUILTIN\Users:(CI)(S,WD,AD,X) <-- ACE 2
BUILTIN\Administrators:(F) <-- ACE 3
BUILTIN\Administrators:(OI)(CI)(IO)(F) etc...
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)

The commands;

> icacls %windir%\temp /Q /T /deny Haroon:F
> icacls %windir%\temp

Produce this output;

Successfully processed 114 files; Failed processing 0 files
c:\windows\temp ATHLON64\Haroon:(N) <-- New ACE for Haroon (No access)
BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)

Haroon is now explicitly denied all access to c:\windows\temp.
Even if Haroon were a member of the Administrators group (which has full access (F) in this example), access would still be denied.
A Deny ACE trumps an Allow (grant) ACE.

The commands;

> icacls %windir%\temp /Q /T /remove Haroon
> icacls %windir%\temp

Produce this output;

Successfully processed 114 files; Failed processing 0 files
c:\windows\temp BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)

The SID Haroon is no longer listed. Haroon's access to c:\windows\temp now depends on the users membership in listed groups (Administrators, Users etc...).
If Haroon is not a member of any group that has explicit access (Read, Full, whatever), then the user is implicitly denied all access.

Last edited by Drewfus (2010-02-12 23:12:44)

Haroon · 2010-02-15 08:17:09

Drewfus wrote:

Firstly, don't use cacls. It's deprecated and probably buggy.
For the specific perms you want, use icacls on Vista/7 (built in), or use subinacl on XP (download).
If your running Vista or 7, try these command and let me know...
> icacls "c:\windows\temp" /T /reset
> icacls "c:\windows\temp" /T /grant "creator owner":(OI)(CI)(IO)F
> icacls "c:\windows\temp" /T /grant "users":(WD,AD)
/T traverses files and folders under specified folder (c:\windows\temp) to apply perms on already existing files/folders.
This switch wouldn't be required if c:\windows\temp was empty.
First command will replace all ACLs with default inherited ACLs. That is, it cleans up whatever mess you've already made. :-)
Second command grants 'creator owner' Full control on subfolders and files only (not 'this folder').
(OI) = Object Inherit (refers to files)
(CI) = Container Inherit (refers to folders)
(IO) = Inherit Only (subfolders and files only. Not this folder)
Third command grants users:
WD = write data/add file
AD = append data/add subdirectory

General note Please state operating system version when asking questions.

my bad, i am using windows xp sp3, so i cant use icacls. and i am having trouble figuring out subinacl, to get it to do what cacls seems to do easily but with some annoying limits.

thanks

Drewfus · 2010-02-15 20:47:05

Haroon, try these Subinacl commands;

subinacl /subdirec "c:\windows\temp\*.*" /grant="CREATOR OWNER"=F
subinacl /subdirec=directoriesonly "c:\windows\temp\*.*" /grant=users=W

F = Full Control
W = Write

http://www.ntfs.com/ntfs-permissions-file-folder.htm

Haroon · 2010-02-16 08:05:26

thanks drewfus, been a great help.
that link gets me closer to what i need. I now have the correct settings i need per user, but where can i find the rest of the list of commands, not just full control or write. there isnt much listed here: http://ss64.com/nt/subinacl.html
but also, how do i distinguish between (subfolders and files only), (this folder and subfolders), (this folder only), and (files only)
i was able to use cacls to set the file permissions. that worked well enough, but cacls sucks for the folder permissions i need.
if youd like i can post the the exact requirements.

thanks again for your help

Drewfus · 2010-02-16 08:46:21

Haroon, just be clear for me - did the subinacl commands i gave above help? Did they do what you wanted?

Subinacl install includes subinacl.htm. Print this out and start studying. :-)

"how do i distinguish between (subfolders and files only), (this folder and subfolders), (this folder only), and (files only)"

See subinacl.htm. For example:

/file [=directoriesonly | =filesonly]
/subdirectories | /subdirec [=directoriesonly | =filesonly]

Now for more specific permissions like those you seem to want, you will need to learn the SDDL syntax, or at least set things up as you want in the GUI ans then save settings using Subinacl /outputlog=<filename> /display=sddl params. Once saved use Subinacl /playfile <filename> param to restore.
http://msdn.microsoft.com/en-us/library … S.85).aspx

Other option is to learn Setacl syntax, which can be quite daunting.
http://setacl.sourceforge.net/html/doc-basics.html
However, Setacl can do fine grained settings on NTFS and registry, without requiring use of SDDL.
For files:

•traverse: Traverse folder / execute file
•list_dir: List folder / read data
•read_attr: Read attributes
•read_ea: Read extended attributes
•add_file: Create files / write data
•add_subdir: Create folders / append data
•write_attr: Write attributes
•write_ea: Write extended attributes
•del_child: Delete subfolders and files
•delete: Delete
•read_dacl: Read permissions
•write_dacl: Write permissions
•write_owner: Take ownership

Ex:

SetACL.exe -ot file -on "C:\my dir" -actn ace -ace "n:domain1\user1;p:read,write_dacl"

"if youd like i can post the the exact requirements."

Yes, do that and i'll see if i can give you the exact commands you need.

Last edited by Drewfus (2010-02-16 18:58:46)

Chimaera · 2010-02-16 09:53:43

I seem to have got a subinacl working using

subinacl /subdirec "%_target%\*.*" /grant="%USERNAME%"=F

and it appears to be changing them

not sure if thats the right way to do as i want everything inside a given folder or drive

I messed with SetACL a bit ago and i couldnt get it to work right, but it is very complicated and i used this

SetACL.exe -on "%_vista_path%" -ot file -actn ace -ace "n:%USERNAME%;p:full;i:so,sc"

should the -ace section be underneath like yours or one line?

btw all im trying to do is give myself full permissions on a customers hard drive

Last edited by Chimaera (2010-02-16 09:56:48)

Drewfus · 2010-02-16 19:16:30

@Chimaera "should the -ace section be underneath like yours or one line?"

On one line. I've edited command to now display as a single line.
Also, i placed -ot (object type) before -on (object name), to make it a little more comparable to a Subinacl command.

In your case i think you need to add a reset of child perms, so that new ace "n:%USERNAME%;p:full" is propagated through file structure.
Also, inheritance to containters and objects is the default, so you don't actually need i:so,sc.
Try;

SetACL.exe -on "%_vista_path%" -ot file -actn ace -ace "n:%USERNAME%;p:full" -actn rstchldrn -rst "dacl,sacl"

Haroon · 2010-02-17 13:21:32

for the folder: %SystemRoot%\RegistrationCRMLog

permission settings required:

Administrators: Full Control

CREATOR OWNER: Full Control (Subfolders and Files Only)

SYSTEM: Full Control (Subfolders and Files Only)

Users: Traverse Folder, List Folder, Read Attributes, Read Exended Attributes, Create Files, Read Permissions (This Folder only)

Users: Read Data, Read Attributes, Read Extended Attributes, Write Data, Append Data, Write Attributes, Write Extended Attributes, Delete, Read permission (Files Only)

how i would go about setting these all with subinacl?

thanks again

Drewfus · 2010-02-18 05:43:15

What's your best guess so far?

Haroon · 2010-02-22 08:17:24

dude im a little lost now. i went back and reread your posts.
cant differentiate between subinacl or setacl. whats the difference and whats better?
ill be glad to try and figure out myself and have it checked

Chimaera · 2010-02-22 10:17:03

I would stick with subinacl for the time being as setacl will only confuse you

like the commands Drewfus showed you earlier

subinacl /subdirec "c:\windows\temp\*.*" /grant="CREATOR OWNER"=F
subinacl /subdirec=directoriesonly "c:\windows\temp\*.*" /grant=users=W

use these as a base and adapt them to the settings your trying to achieve.
From these you will need to play around and get them working, and its a guess but probably a account type per line

Administrators: Full Control
CREATOR OWNER: Full Control (Subfolders and Files Only)
SYSTEM: Full Control (Subfolders and Files Only)
Users: Traverse Folder, List Folder, Read Attributes, Read Exended Attributes, Create Files, Read Permissions (This Folder only)
Users: Read Data, Read Attributes, Read Extended Attributes, Write Data, Append Data, Write Attributes, Write Extended Attributes, Delete, Read permission (Files Only)

if after some testing subinacl dosent achieve the job then you will maybe have to swop to the more powerfull setacl but it is diffuclt to master

Haroon · 2010-02-22 11:17:49

hey thanks man,
that looks friendly enough even for me

in the code you have above, what is the purpose of the line "/subdirec" and what changes when you add the "=directoriesonly"

Chimaera · 2010-02-22 14:20:14

subinacl /?

Usage :
SubInAcl [/option...] /object_type object_name [[/action[=parameter]...]

/options :
/outputlog=FileName /errorlog=FileName
/noverbose /verbose (default)
/notestmode (default) /testmode
/alternatesamserver=SamServer /offlinesam=FileName
/stringreplaceonoutput=string1=string2
/expandenvironmentsymbols (default) /noexpandenvironmentsymbols
/statistic (default) /nostatistic
/dumpcachedsids=FileName /separator=character
/applyonly=[dacl,sacl,owner,group]
/nocrossreparsepoint (default) /crossreparsepoint
/object_type :
/service /keyreg /subkeyreg
/file /subdirectories[=directoriesonly|filesonly]
/clustershare /kernelobject /metabase
/printer /onlyfile /process
/share /samobject
/action :
/display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default)
/setowner=owner
/replace=[DomainName\]OldAccount=[DomainName\]New_Account
/accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account
/changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]
/migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]]
/findsid=[DomainName\]Account[=stop|continue]
/suppresssid=[DomainName\]Account
/confirm
/ifchangecontinue
/cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all]
/testmode
/accesscheck=[DomainName\]Username
/setprimarygroup=[DomainName\]Group
/grant=[DomainName\]Username[=Access]
/deny=[DomainName\]Username[=Access]
/sgrant=[DomainName\]Username[=Access]
/sdeny=[DomainName\]Username[=Access]
/sallowdeny==[DomainName\]Username[=Access]
/revoke=[DomainName\]Username
/perm
/audit
/compactsecuritydescriptor
/pathexclude=pattern
/objectexclude=pattern
/sddl=sddl_string
/objectcopysecurity=object_path
/pathcopysecurity=path_container
Usage : SubInAcl [/option...] /playfile file_name
Usage : SubInAcl /help [keyword]
SubInAcl /help /full
keyword can be :
features usage syntax sids view_mode test_mode object_type
domain_migration server_migration substitution_features editing_features
- or -
any [/option] [/action] [/object_type]

makes a decision choice between directories or files

i use the first eg

subinacl /subdirec "c:\windows\temp\*.*" /grant="CREATOR OWNER"=F

which i believe is everything in the main and the subs

Last edited by Chimaera (2010-02-22 14:26:56)

SS64 Discussion Forum

#1 2010-01-19 09:14:11

CACLS help

#2 2010-01-19 13:08:27

Re: CACLS help

#3 2010-01-19 13:17:14

Re: CACLS help

#4 2010-01-19 13:22:53

Re: CACLS help

#5 2010-01-19 14:08:50

Re: CACLS help

#6 2010-01-26 11:19:27

Re: CACLS help

#7 2010-02-09 15:24:14

Re: CACLS help

#8 2010-02-12 22:14:01

Re: CACLS help

#9 2010-02-12 22:50:46

Re: CACLS help

#10 2010-02-15 08:17:09

Re: CACLS help

#11 2010-02-15 20:47:05

Re: CACLS help

#12 2010-02-16 08:05:26

Re: CACLS help

#13 2010-02-16 08:46:21

Re: CACLS help

#14 2010-02-16 09:53:43

Re: CACLS help

#15 2010-02-16 19:16:30

Re: CACLS help

#16 2010-02-17 13:21:32

Re: CACLS help

#17 2010-02-18 05:43:15

Re: CACLS help

#18 2010-02-22 08:17:24

Re: CACLS help

#19 2010-02-22 10:17:03

Re: CACLS help

#20 2010-02-22 11:17:49

Re: CACLS help

#21 2010-02-22 14:20:14

Re: CACLS help

Board footer