Jump to content

How can I use icacls to acheive the same deny results as with the

Guest Pelle Plutt

By Guest Pelle Plutt
in Techno Babble

 Share

Recommended Posts

Guest Pelle Plutt

Guest Pelle Plutt

Posted
Posted

I have been trying to use icacls to automate setting an deny write+delete for

Everyone to avoid modifying a "gold master" folder.

Unfortunately I have been unable to get it to work.

Here's what I did:

I created one folder xxx and another yyy.

Using the Security tab of the Properties dialog for xxx, I added an entry

for everyone and checked deny for

Create files / write data

Create folders / append data

Write attributes

Write extented attributes

Delete subfolders and files

Delete

 

This now works fine - I can browse into the xxx folder, list files but not

change or delete stuff.

 

Using icacls to list the ACL this comes out as:

 

Everyone:(OI)(CI)(DENY)(W,D,DC)

BUILTIN\Administrators:(I)(F)

BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)

NT AUTHORITY\SYSTEM:(I)(F)

NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)

BUILTIN\Users:(I)(OI)(CI)(RX)

NT AUTHORITY\Authenticated Users:(I)(M)

NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

 

So then i used icacls on the yyy folder:

icacls yyy /deny everyone:(OI)(CI)(W,D,DC)

 

The folder security properties (GUI) look exactly like the one for xxx.

icacls also reports back the exact same list.

However: It does not work. I cannot open the folder in Explorer or CD into

the folder on the command line. I have lost my read/list rights.

 

So: there is something fishy with the GUI and icacls because if I use the

old cacls I get an additional piece of information that I don't know how to

interpret:

 

xxx Everyone:(OI)(CI)(DENY)(special access:)

DELETE

FILE_WRITE_DATA

FILE_APPEND_DATA

FILE_WRITE_EA

FILE_DELETE_CHILD

FILE_WRITE_ATTRIBUTES

 

yyy Everyone:(OI)(CI)(DENY)(special access:)

DELETE

SYNCHRONIZE

FILE_WRITE_DATA

FILE_APPEND_DATA

FILE_WRITE_EA

FILE_DELETE_CHILD

FILE_WRITE_ATTRIBUTES

 

A-ha! Where did that deny: synchronize come from? Is that my problem? How do

I get rid of it?

 

Unfortunately I cannot use the old cacls as it has no deny mode to deny some

partical rights for a user.

 

Help.

 

/Per

  • Replies 1
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Pelle Plutt

Guest Pelle Plutt

Posted
Posted

Additional info:

Using icacls /save and viewing the "dump files", the difference between the

folders come out like this:

 

xxx

D:AI(D;OICI;DCLCRPDTCRSD;;;WD)(A;...

- the rest of the data is the same as for yyy

 

yyy

D:AI(D;OICI;0x110156;;;WD)(A;...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...