Solved

How to use cacls/xcacls to deny permissions (similar to features available on Security tab)

Posted on 2003-10-23
2
3,590 Views
Last Modified: 2013-12-04
I'm running Win2k Pro (SP4) in a workgroup (non-domain) environment.  When I use the Explorer Security tab to deny Administrator permissions (Full Control) to a directory (%SystemRoot%\system32\GroupPolicy), this is what I get afterward when I run cacls/xcacls:



C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)(DENY)(special access:)

                                                     DELETE
                                                     READ_CONTROL
                                                     WRITE_DAC
                                                     WRITE_OWNER
                                                     STANDARD_RIGHTS_REQUIRED
                                                     FILE_READ_DATA
                                                     FILE_WRITE_DATA
                                                     FILE_APPEND_DATA
                                                     FILE_READ_EA
                                                     FILE_WRITE_EA
                                                     FILE_EXECUTE
                                                     FILE_DELETE_CHILD
                                                     FILE_READ_ATTRIBUTES
                                                     FILE_WRITE_ATTRIBUTES
 
                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F



When I try to deny access using either cacls or xcalcs, I get this:



C:\WINNT\system32>xcacls GroupPolicy /e /d administrators
processed directory: C:\WINNT\system32\GroupPolicy

C:\WINNT\system32>xcacls GroupPolicy
C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)N
                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F



Note that the BUILTIN\Administrators have "None" privileges instead of "Deny" privileges.  When I look at the Explorer Security tab, however, it shows all permissions as "Deny."

Here's the reason I'm doing all this:  I'm using local Group Policy (gpedit.msc) to lock down the workstations, but I don't want the lockdown to apply to the Administrators.  I understand that if I deny Administrators Read access to the %SystemRoot%\system32\GroupPolicy directory, then the local group policy will not apply to the Administrators (http://www.jsifaq.com/sube/tip2400/rh2492.htm).  This all works fine when I deny access via the Explorer Security tab, but I can't get it to work using the cacls/xcacls commands.

Thanks for any help.
0
Comment
Question by:cme12345
2 Comments
 
LVL 1

Accepted Solution

by:
lacams earned 125 total points
Comment Utility
You can try with the tool : subinacl.exe

download site : http://www.petri.co.il/download_free_reskit_tools.htm
0
 

Author Comment

by:cme12345
Comment Utility
I figured out how to do this using cacls.exe.  It turns out I was getting caught up in the quagmire of inherited folder permissions by specifying only the directory name and not using the /t parameter.

To open up permissions on the contents of the GroupPolicy folder so that I can run gpedit.msc, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /g administrators:f

To deny administrators permissions so that the group policy settings don't not take effect, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /d administrators

Thanks to "lacams" for suggesting subinacl.exe.  It opened my eyes to the directory permission inheritance issues.  For that he gets points.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now