Haroon
How do i set folder permissions using cacls to these settings
Creator Owner, Full Control (subfolders and files only)
Users, traverse folder, create files, create folders (this folder and sub folders)
i can do full control, read, write, now, easily for files and folders, but i dont understand the rest of the more advanced permission settings and how to script them using cacls
thanks
----------------------------
#2 19 Jan 2010 19:08
Chimaera
There is some detail here
https://ss64.com/nt/cacls.html
have you considered the more recent icalcs which i believe is more configurable
https://ss64.com/nt/icacls.html
----------------------------
#3 19 Jan 2010 19:17
Haroon
does it require any installation like xcacls does?
----------------------------
#4 19 Jan 2010 19:22
Haroon
I have been studying the cacls info page, and all i see is the inherited folder permissions which look to be what im looking for but i have no idea how to implement them.
this is what i have done for the admin which gets full control of the folder
CACLS "C:\Windows\TEMP" /T /E /R Administrators
CACLS "C:\Windows\TEMP" /T /E /R Administrators:F
that works fine, but now if i wanted to give CREATOR OWNER full control (subfolders and files only) what else would i add. thats where i am getting stuck.
thanks
----------------------------
#5 19 Jan 2010 20:08
Haroon
quick correction in the second like of that code i posted, should be a /G not /R
Code: Select all
CACLS "C:\Windows\TEMP" /T /E /R Administrators
CACLS "C:\Windows\TEMP" /T /E /G Administrators:F
#6 26 Jan 2010 17:19
Haroon
Can someone check this? i saw this written out somewhere, but i couldnt verify that the syntax is correct
im trying to get the creator/owner full control (subfolders and files only).
Code: Select all
CACLS "C:\Windows\TEMP" /T /E /G CREATOR OWNER:(OI)(CI)(IO)F
thanks
Last edited by Haroon (26 Jan 2010 20:03)
----------------------------
#7 09 Feb 2010 21:24
Haroon
what is the difference between /R (revoke) and /D (Deny) ?
----------------------------
#8 13 Feb 2010 04:14
Drewfus
Firstly, don't use cacls. It's deprecated and probably buggy.
For the specific perms you want, use icacls on Vista/7 (built in), or use subinacl on XP (download).
If your running Vista or 7, try these command and let me know...
Code: Select all
> icacls "c:\windows\temp" /T /reset
> icacls "c:\windows\temp" /T /grant "creator owner":(OI)(CI)(IO)F
> icacls "c:\windows\temp" /T /grant "users":(WD,AD)
This switch wouldn't be required if c:\windows\temp was empty.
First command will replace all ACLs with default inherited ACLs. That is, it cleans up whatever mess you've already made.
Second command grants 'creator owner' Full control on subfolders and files only (not 'this folder').
(OI) = Object Inherit (refers to files)
(CI) = Container Inherit (refers to folders)
(IO) = Inherit Only (subfolders and files only. Not this folder)
Third command grants users:
WD = write data/add file
AD = append data/add subdirectory
General note Please state operating system version when asking questions.
----------------------------
#9 13 Feb 2010 04:50
Drewfus
@Haroon "what is the difference between /R (revoke) and /D (Deny) ?"
Example command:
Code: Select all
> icacls %windir%\temp
Access Control List (ACL)
c:\windows\temp ATHLON64\Haroon:(WD,AD) <-- Access Control Entry 1
BUILTIN\Users:(CI)(S,WD,AD,X) <-- ACE 2
BUILTIN\Administrators:(F) <-- ACE 3
BUILTIN\Administrators:(OI)(CI)(IO)(F) etc...
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
The commands;
Code: Select all
> icacls %windir%\temp /Q /T /deny Haroon:F
> icacls %windir%\temp
Haroon is now explicitly denied all access to c:\windows\temp.Successfully processed 114 files; Failed processing 0 files
c:\windows\temp ATHLON64\Haroon:(N) <-- New ACE for Haroon (No access)
BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
Even if Haroon were a member of the Administrators group (which has full access (F) in this example), access would still be denied.
A Deny ACE trumps an Allow (grant) ACE.
The commands;
Code: Select all
> icacls %windir%\temp /Q /T /remove Haroon
> icacls %windir%\temp
The SID Haroon is no longer listed. Haroon's access to c:\windows\temp now depends on the users membership in listed groups (Administrators, Users etc...).Successfully processed 114 files; Failed processing 0 files
c:\windows\temp BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
If Haroon is not a member of any group that has explicit access (Read, Full, whatever), then the user is implicitly denied all access.
Last edited by Drewfus (13 Feb 2010 05:12)