P
Pelle Plutt
I have been trying to use icacls to automate setting an deny write+delete for
Everyone to avoid modifying a "gold master" folder.
Unfortunately I have been unable to get it to work.
Here's what I did:
I created one folder xxx and another yyy.
Using the Security tab of the Properties dialog for xxx, I added an entry
for everyone and checked deny for
* Create files / write data
* Create folders / append data
* Write attributes
* Write extented attributes
* Delete subfolders and files
* Delete
This now works fine - I can browse into the xxx folder, list files but not
change or delete stuff.
Using icacls to list the ACL this comes out as:
Everyone
OI)(CI)(DENY)(W,D,DC)
BUILTIN\AdministratorsI)(F)
BUILTIN\AdministratorsI)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEMI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(IO)(F)
BUILTIN\UsersI)(OI)(CI)(RX)
NT AUTHORITY\Authenticated UsersI)(M)
NT AUTHORITY\Authenticated UsersI)(OI)(CI)(IO)(M)
So then i used icacls on the yyy folder:
icacls yyy /deny everyoneOI)(CI)(W,D,DC)
The folder security properties (GUI) look exactly like the one for xxx.
icacls also reports back the exact same list.
However: It does not work. I cannot open the folder in Explorer or CD into
the folder on the command line. I have lost my read/list rights.
So: there is something fishy with the GUI and icacls because if I use the
old cacls I get an additional piece of information that I don't know how to
interpret:
xxx EveryoneOI)(CI)(DENY)(special access
DELETE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_WRITE_ATTRIBUTES
yyy EveryoneOI)(CI)(DENY)(special access
DELETE
SYNCHRONIZE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_WRITE_ATTRIBUTES
A-ha! Where did that deny: synchronize come from? Is that my problem? How do
I get rid of it?
Unfortunately I cannot use the old cacls as it has no deny mode to deny some
partical rights for a user.
Help.
/Per
Everyone to avoid modifying a "gold master" folder.
Unfortunately I have been unable to get it to work.
Here's what I did:
I created one folder xxx and another yyy.
Using the Security tab of the Properties dialog for xxx, I added an entry
for everyone and checked deny for
* Create files / write data
* Create folders / append data
* Write attributes
* Write extented attributes
* Delete subfolders and files
* Delete
This now works fine - I can browse into the xxx folder, list files but not
change or delete stuff.
Using icacls to list the ACL this comes out as:
Everyone
OI)(CI)(DENY)(W,D,DC)BUILTIN\Administrators
I)(F)BUILTIN\Administrators
I)(OI)(CI)(IO)(F)NT AUTHORITY\SYSTEM
I)(F)NT AUTHORITY\SYSTEM
I)(OI)(CI)(IO)(F)BUILTIN\Users
I)(OI)(CI)(RX)NT AUTHORITY\Authenticated Users
I)(M)NT AUTHORITY\Authenticated Users
I)(OI)(CI)(IO)(M)So then i used icacls on the yyy folder:
icacls yyy /deny everyone
OI)(CI)(W,D,DC)The folder security properties (GUI) look exactly like the one for xxx.
icacls also reports back the exact same list.
However: It does not work. I cannot open the folder in Explorer or CD into
the folder on the command line. I have lost my read/list rights.
So: there is something fishy with the GUI and icacls because if I use the
old cacls I get an additional piece of information that I don't know how to
interpret:
xxx Everyone
OI)(CI)(DENY)(special accessDELETE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_WRITE_ATTRIBUTES
yyy Everyone
OI)(CI)(DENY)(special accessDELETE
SYNCHRONIZE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_WRITE_ATTRIBUTES
A-ha! Where did that deny: synchronize come from? Is that my problem? How do
I get rid of it?
Unfortunately I cannot use the old cacls as it has no deny mode to deny some
partical rights for a user.
Help.
/Per