How can I use icacls to acheive the same deny results as with the
Posted: 01-20-2009, 08:25 AM
Everyone to avoid modifying a "gold master" folder.
Unfortunately I have been unable to get it to work.
Here's what I did:
I created one folder xxx and another yyy.
Using the Security tab of the Properties dialog for xxx, I added an entry
for everyone and checked deny for
* Create files / write data
* Create folders / append data
* Write attributes
* Write extented attributes
* Delete subfolders and files
This now works fine - I can browse into the xxx folder, list files but not
change or delete stuff.
Using icacls to list the ACL this comes out as:
NT AUTHORITY\Authenticated UsersI)(M)
NT AUTHORITY\Authenticated UsersI)(OI)(CI)(IO)(M)
So then i used icacls on the yyy folder:
icacls yyy /deny everyoneOI)(CI)(W,D,DC)
The folder security properties (GUI) look exactly like the one for xxx.
icacls also reports back the exact same list.
However: It does not work. I cannot open the folder in Explorer or CD into
the folder on the command line. I have lost my read/list rights.
So: there is something fishy with the GUI and icacls because if I use the
old cacls I get an additional piece of information that I don't know how to
xxx EveryoneOI)(CI)(DENY)(special access
yyy EveryoneOI)(CI)(DENY)(special access
A-ha! Where did that deny: synchronize come from? Is that my problem? How do
I get rid of it?
Unfortunately I cannot use the old cacls as it has no deny mode to deny some
partical rights for a user.