icacls – changing permissions on files and folders.

Update – Excellent Post  How to Handle NTFS Folder Permissions, Security Descriptors and ACLshttp://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx

I was asked about changing permissions from the root of a drive and all sub-folders.  My immediate reaction was to use the Microsoft tool that replaced cacls – icacls.  Apparently the person that came up with the new name  “must” have just received their new iPad. <g>

I remembered a Technet article from a friend Gregg Shields – http://technet.microsoft.com/en-us/magazine/2009.07.geekofalltrades.aspx

“Setting permissions for the Marketing folder is slightly different. We use the same permissions flow for the Product folder as we did for the subfolders under Finance, but the Restricted folder will be treated a bit differently. Let’s suppose that folder contains highly secret documents that should be seen by only a very few individuals. Your first thought may be, “A-ha! Here, I’ll use the Deny permissions to prevent the wrong users from accessing this folder!”
But keep in mind that the Deny permissions is actually far too powerful a setting for most situations as it automatically overrides every other permission. Therefore, adding the Deny permission to the Marketing Users group for this folder means that any Restricted users who are also Marketing users would be shut out. A more appropriate solution here is to break the inheritance again and simply eliminate all permissions for the Marketing Users group. Thus, the three icacls command lines required to set the permissions for this structure are”http://support.microsoft.com/kb/943043

Icacls C:\Shared\Marketing /inheritance:r /grant:r “Finance Users”:(OI)(CI)R /grant:r “File Admins”:(OI)(CI)F

Icacls C:\Shared\Marketing\Product /grant:r “Product Users”:(OI)(CI)M

Icacls C:\Shared\Marketing\Restricted /inheritance:r /grant:r “File Admins”:(OI)(CI)F /grant:r “Restricted Users”:(OI)(CI)M

ALSO see –

The Icacls.exe utility that is included with Windows Server 2003 Service Pack 2 does not support the inheritance bit
Hotfix Download Available

Additionally, you can set the inheritance bit of files or folders by using the updated Icacls.exe utility together with the /inheritance parameter. For more information, see the following sample:
/inheritance:e|d|r
e – enables inheritance
d – disables inheritance and copy the ACEs
r – remove all inherited ACEs

So if you are asking yourself WHAT..?  Like I was, here is some more info on the topic.

“Tim asked me to comment on this question.

You’re on the right path. Funny, but I’m actually about to write a three-part series on icacls for TechTarget.

You need to break the inheritance (/inheritance:r) and then reset the new directly-applied permissions (/grant). The new perms then inherit down because you’re using (OI)(CI), which are “object inherit” and “container inherit”.

So, step one: Break inheritance. Step two: directly set new perm. Step three: Enable inheritance. What’s confusing is that these three steps are all being done in a single line.

Does this help?”

/Greg Shields, MVP – Terminal Services

Tips and Tricks for the Jack-of-all-Trades IT Professional

www.ConcentratedTech.com

The “single line” threw me for a but until I realized what he meant was.  In your single command line you need to break the inheritance first then you will apply the permissions you want to grant accordingly.

So for example –

Step 1 is the /inheritance:r

Step 2 is the /grant Domain\username

Step 3 is the (OI)(CI) F

Thus –

icacls pathname /inheritance:r /grant Domain\username (OI)(CI) F

F = full

If there are any other permissions that exist you could also remove those in the same command by using the :r switch after the grant command.

icacls pathname /inheritance:r /grant:r Domain\username (OI)(CI) F

Many Thanks to Gregg Shields.  I highly anticipate his to be released three-part series on icacls for TechTarget.

0.000000 0.000000