How can I use icacls to acheive the same deny results as with the

Posted: 01-20-2009, 08:25 AM
I have been trying to use icacls to automate setting an deny write+delete for
Everyone to avoid modifying a "gold master" folder.
Unfortunately I have been unable to get it to work.
Here's what I did:
I created one folder xxx and another yyy.
Using the Security tab of the Properties dialog for xxx, I added an entry
for everyone and checked deny for
* Create files / write data
* Create folders / append data
* Write attributes
* Write extented attributes
* Delete subfolders and files
* Delete

This now works fine - I can browse into the xxx folder, list files but not
change or delete stuff.

Using icacls to list the ACL this comes out as:

EveryoneOI)(CI)(DENY)(W,D,DC)
BUILTIN\AdministratorsI)(F)
BUILTIN\AdministratorsI)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEMI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(IO)(F)
BUILTIN\UsersI)(OI)(CI)(RX)
NT AUTHORITY\Authenticated UsersI)(M)
NT AUTHORITY\Authenticated UsersI)(OI)(CI)(IO)(M)

So then i used icacls on the yyy folder:
icacls yyy /deny everyoneOI)(CI)(W,D,DC)

The folder security properties (GUI) look exactly like the one for xxx.
icacls also reports back the exact same list.
However: It does not work. I cannot open the folder in Explorer or CD into
the folder on the command line. I have lost my read/list rights.

So: there is something fishy with the GUI and icacls because if I use the
old cacls I get an additional piece of information that I don't know how to
interpret:

xxx EveryoneOI)(CI)(DENY)(special access
DELETE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_WRITE_ATTRIBUTES

yyy EveryoneOI)(CI)(DENY)(special access
DELETE
SYNCHRONIZE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_WRITE_ATTRIBUTES

A-ha! Where did that deny: synchronize come from? Is that my problem? How do
I get rid of it?

Unfortunately I cannot use the old cacls as it has no deny mode to deny some
partical rights for a user.

Help.

/Per

How can I use icacls to acheive the same deny results as with the


Responses to "How can I use icacls to acheive the same deny results as with the"

Pelle Plutt
Guest
Posts: n/a
 
RE: How can I use icacls to acheive the same deny results as with the
Posted: 01-20-2009, 08:47 AM
Additional info:
Using icacls /save and viewing the "dump files", the difference between the
folders come out like this:

xxx
D:AI(D;OICI;DCLCRPDTCRSD;;;WD)(A;...
- the rest of the data is the same as for yyy

yyy
D:AI(D;OICI;0x110156;;;WD)(A;...


 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
Icacls.exe can be used for Registry modification? ashapadmanabhan Windows Vista Security 5 10-30-2008 09:29 PM
icacls Problem, any Ideas ? Schellhaas Windows Vista Security 3 09-24-2008 02:40 PM
Grant permission using ICACLS antigravity Windows Vista File Management 0 08-14-2007 02:40 AM
Set rights with Icacls Beat Windows Vista Administration 5 07-13-2007 02:05 PM
How to Save the project CORRECTLY to acheive good quality. David_R Windows XP Movie Maker 1 11-27-2006 07:41 PM