Results 1 to 6 of 6
  1. #1
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,573
    Thanks
    35
    Thanked 217 Times in 193 Posts

    ICACLS expertise

    I have to set up a new NTFS drive (well, a bunch of them) on a server from scratch, and wish to use ICACLS (in a BATch file, of course) to set up the security permissions correctly. On one drive, a couple of folders need to have different security permissions - Users needs to be read-and-execute and a couple of local groups need full access.

    I have come up with a set of ICACLS commands, and would like someone knowledgeable in the use of ICACLS to comment on them. I only use ICACLS about once every few years, so am fairly ignorant in this arcane field.
    Code:
    set drv=U:
    set fol=TopLevel
    
    echo.
    echo Resetting ACL on %drv% (can be very slow)
    icacls %drv% /reset /t /q  
    
    icacls %drv%  /grant:r  BUILTIN\Users:(OI)(CI)(F)      
    icacls %drv%   
    
    set sub=LowerLevel
    echo Setting access on "%fol%\%sub%" folder
    icacls "%drv%\%fol%\%sub%" /inheritance:d                         
    icacls "%drv%\%fol%\%sub%" /remove:g BUILTIN\Users          
    icacls "%drv%\%fol%\%sub%" /grant    BUILTIN\Users:(OI)(CI)(RX)     
    icacls "%drv%\%fol%\%sub%" /grant    LocalGroup1:(OI)(CI)(F)        
    icacls "%drv%\%fol%\%sub%" /grant    LocalGroup2:(OI)(CI)(F)        
    icacls "%drv%\%fol%\%sub%"
    BATcher

    Talking to laser printers can be very effective.
    You just need the right toner voice...

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    9,020
    Thanks
    64
    Thanked 1,139 Times in 1,060 Posts
    The remove is not required if you make the second grant a replace. Same goes for the inheritance. (/grant:r)
    Pipe the last icacls to your log.

    I have seen permission changes fail due to broken permissions, a lot - admins needing to take ownership and then put the correct permissions in - so a reset on the whole drive may not work. I use a robocopy to nul to test - log errors only - easier than reading permissions and looking for oddness.

    cheers, Paul

  3. #3
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,573
    Thanks
    35
    Thanked 217 Times in 193 Posts
    Thanks, Paul - very helpful.

    I'll rework these commands to follow your suggestions.
    BATcher

    Talking to laser printers can be very effective.
    You just need the right toner voice...

  4. #4
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,573
    Thanks
    35
    Thanked 217 Times in 193 Posts
    Just out of interest, I found that (the free version of) NTFS Permissions Reporter was the most useful for, err, displaying NTFS permissions.
    BATcher

    Talking to laser printers can be very effective.
    You just need the right toner voice...

  5. #5
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,573
    Thanks
    35
    Thanked 217 Times in 193 Posts
    When actually running the batch file, I found:

    1) icacls %drv% /reset /t /q
    would not run, because "this operation is not allowed"
    ANSWER: don't try to run it!

    2) for some folders, when trying to do the "/grant" functions, the message
    "No mapping between account names and security IDs was done"
    was issued, perhaps multiple times
    ANSWER: had to go into the Properties -> Security GUI and delete any SIDs which had not resolved to account names, and write through lower files and folders

    The good news is that it runs surprisingly rapidly!
    BATcher

    Talking to laser printers can be very effective.
    You just need the right toner voice...

  6. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    9,020
    Thanks
    64
    Thanked 1,139 Times in 1,060 Posts
    Welcome the the world of broken Windows security!

    cheers, Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •