Results 1 to 6 of 6
Thread: ICACLS expertise
-
2018-06-18, 01:50 #1
- Join Date
- Feb 2008
- Location
- A cultural area in SW England
- Posts
- 3,630
- Thanks
- 36
- Thanked 224 Times in 199 Posts
ICACLS expertise
I have to set up a new NTFS drive (well, a bunch of them) on a server from scratch, and wish to use ICACLS (in a BATch file, of course) to set up the security permissions correctly. On one drive, a couple of folders need to have different security permissions - Users needs to be read-and-execute and a couple of local groups need full access.
I have come up with a set of ICACLS commands, and would like someone knowledgeable in the use of ICACLS to comment on them. I only use ICACLS about once every few years, so am fairly ignorant in this arcane field.
Code:set drv=U: set fol=TopLevel echo. echo Resetting ACL on %drv% (can be very slow) icacls %drv% /reset /t /q icacls %drv% /grant:r BUILTIN\Users:(OI)(CI)(F) icacls %drv% set sub=LowerLevel echo Setting access on "%fol%\%sub%" folder icacls "%drv%\%fol%\%sub%" /inheritance:d icacls "%drv%\%fol%\%sub%" /remove:g BUILTIN\Users icacls "%drv%\%fol%\%sub%" /grant BUILTIN\Users:(OI)(CI)(RX) icacls "%drv%\%fol%\%sub%" /grant LocalGroup1:(OI)(CI)(F) icacls "%drv%\%fol%\%sub%" /grant LocalGroup2:(OI)(CI)(F) icacls "%drv%\%fol%\%sub%"
BATcher
If it goes right, nobody remembers;
if it goes wrong, nobody forgets.
-
2018-06-18, 08:25 #2
- Join Date
- Dec 2009
- Location
- Earth
- Posts
- 9,179
- Thanks
- 69
- Thanked 1,165 Times in 1,083 Posts
The remove is not required if you make the second grant a replace. Same goes for the inheritance. (/grant:r)
Pipe the last icacls to your log.
I have seen permission changes fail due to broken permissions, a lot - admins needing to take ownership and then put the correct permissions in - so a reset on the whole drive may not work. I use a robocopy to nul to test - log errors only - easier than reading permissions and looking for oddness.
cheers, Paul
-
2018-06-19, 02:46 #3
- Join Date
- Feb 2008
- Location
- A cultural area in SW England
- Posts
- 3,630
- Thanks
- 36
- Thanked 224 Times in 199 Posts
Thanks, Paul - very helpful.
I'll rework these commands to follow your suggestions.BATcher
If it goes right, nobody remembers;
if it goes wrong, nobody forgets.
-
2018-06-20, 03:38 #4
- Join Date
- Feb 2008
- Location
- A cultural area in SW England
- Posts
- 3,630
- Thanks
- 36
- Thanked 224 Times in 199 Posts
Just out of interest, I found that (the free version of) NTFS Permissions Reporter was the most useful for, err, displaying NTFS permissions.
BATcher
If it goes right, nobody remembers;
if it goes wrong, nobody forgets.
-
2018-06-22, 06:01 #5
- Join Date
- Feb 2008
- Location
- A cultural area in SW England
- Posts
- 3,630
- Thanks
- 36
- Thanked 224 Times in 199 Posts
When actually running the batch file, I found:
1) icacls %drv% /reset /t /q
would not run, because "this operation is not allowed"
ANSWER: don't try to run it!
2) for some folders, when trying to do the "/grant" functions, the message
"No mapping between account names and security IDs was done"
was issued, perhaps multiple times
ANSWER: had to go into the Properties -> Security GUI and delete any SIDs which had not resolved to account names, and write through lower files and folders
The good news is that it runs surprisingly rapidly!BATcher
If it goes right, nobody remembers;
if it goes wrong, nobody forgets.
-
2018-06-23, 02:08 #6
- Join Date
- Dec 2009
- Location
- Earth
- Posts
- 9,179
- Thanks
- 69
- Thanked 1,165 Times in 1,083 Posts
Welcome the the world of broken Windows security!
cheers, Paul