CACLS /iCACLS help

Microsoft Windows
Post Reply
User avatar
MigrationUser
Posts: 336
Joined: 2021-Jul-12, 1:37 pm
Contact:

CACLS /iCACLS help

Post by MigrationUser »

19 Jan 2010 15:14
Haroon

How do i set folder permissions using cacls to these settings

Creator Owner, Full Control (subfolders and files only)
Users, traverse folder, create files, create folders (this folder and sub folders)

i can do full control, read, write, now, easily for files and folders, but i dont understand the rest of the more advanced permission settings and how to script them using cacls

thanks

----------------------------

#2 19 Jan 2010 19:08
Chimaera


There is some detail here

https://ss64.com/nt/cacls.html

have you considered the more recent icalcs which i believe is more configurable

https://ss64.com/nt/icacls.html

----------------------------

#3 19 Jan 2010 19:17
Haroon


does it require any installation like xcacls does?

----------------------------

#4 19 Jan 2010 19:22
Haroon


I have been studying the cacls info page, and all i see is the inherited folder permissions which look to be what im looking for but i have no idea how to implement them.
this is what i have done for the admin which gets full control of the folder
CACLS "C:\Windows\TEMP" /T /E /R Administrators
CACLS "C:\Windows\TEMP" /T /E /R Administrators:F

that works fine, but now if i wanted to give CREATOR OWNER full control (subfolders and files only) what else would i add. thats where i am getting stuck.

thanks

----------------------------

#5 19 Jan 2010 20:08
Haroon


quick correction in the second like of that code i posted, should be a /G not /R

Code: Select all

CACLS "C:\Windows\TEMP" /T /E /R Administrators
CACLS "C:\Windows\TEMP" /T /E /G Administrators:F
----------------------------

#6 26 Jan 2010 17:19
Haroon


Can someone check this? i saw this written out somewhere, but i couldnt verify that the syntax is correct
im trying to get the creator/owner full control (subfolders and files only).

Code: Select all

CACLS "C:\Windows\TEMP" /T /E /G CREATOR OWNER:(OI)(CI)(IO)F
i get an error sayings its an invalid arguement. im having trouble figuring out how to use the inherited folder permissions

thanks

Last edited by Haroon (26 Jan 2010 20:03)

----------------------------

#7 09 Feb 2010 21:24
Haroon


what is the difference between /R (revoke) and /D (Deny) ?

----------------------------

#8 13 Feb 2010 04:14
Drewfus


Firstly, don't use cacls. It's deprecated and probably buggy.

For the specific perms you want, use icacls on Vista/7 (built in), or use subinacl on XP (download).

If your running Vista or 7, try these command and let me know...

Code: Select all

> icacls "c:\windows\temp" /T /reset
> icacls "c:\windows\temp" /T /grant "creator owner":(OI)(CI)(IO)F
> icacls "c:\windows\temp" /T /grant "users":(WD,AD)
/T traverses files and folders under specified folder (c:\windows\temp) to apply perms on already existing files/folders.
This switch wouldn't be required if c:\windows\temp was empty.

First command will replace all ACLs with default inherited ACLs. That is, it cleans up whatever mess you've already made. :-)

Second command grants 'creator owner' Full control on subfolders and files only (not 'this folder').

(OI) = Object Inherit (refers to files)
(CI) = Container Inherit (refers to folders)
(IO) = Inherit Only (subfolders and files only. Not this folder)

Third command grants users:

WD = write data/add file
AD = append data/add subdirectory

General note Please state operating system version when asking questions.

----------------------------

#9 13 Feb 2010 04:50
Drewfus


@Haroon "what is the difference between /R (revoke) and /D (Deny) ?"

Example command:

Code: Select all

> icacls %windir%\temp
Produces this output...

Access Control List (ACL)

c:\windows\temp ATHLON64\Haroon:(WD,AD) <-- Access Control Entry 1
BUILTIN\Users:(CI)(S,WD,AD,X) <-- ACE 2
BUILTIN\Administrators:(F) <-- ACE 3
BUILTIN\Administrators:(OI)(CI)(IO)(F) etc...
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)

The commands;

Code: Select all

> icacls %windir%\temp /Q /T /deny Haroon:F
> icacls %windir%\temp
Produce this output;
Successfully processed 114 files; Failed processing 0 files

c:\windows\temp ATHLON64\Haroon:(N) <-- New ACE for Haroon (No access)
BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
Haroon is now explicitly denied all access to c:\windows\temp.
Even if Haroon were a member of the Administrators group (which has full access (F) in this example), access would still be denied.
A Deny ACE trumps an Allow (grant) ACE.

The commands;

Code: Select all

> icacls %windir%\temp /Q /T /remove Haroon
> icacls %windir%\temp
Produce this output;
Successfully processed 114 files; Failed processing 0 files

c:\windows\temp BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
The SID Haroon is no longer listed. Haroon's access to c:\windows\temp now depends on the users membership in listed groups (Administrators, Users etc...).
If Haroon is not a member of any group that has explicit access (Read, Full, whatever), then the user is implicitly denied all access.

Last edited by Drewfus (13 Feb 2010 05:12)
Post Reply