Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to use cacls/xcacls to deny permissions (similar to features available on Security tab)

Posted on 2003-10-23
2
3,601 Views
Last Modified: 2013-12-04
I'm running Win2k Pro (SP4) in a workgroup (non-domain) environment.  When I use the Explorer Security tab to deny Administrator permissions (Full Control) to a directory (%SystemRoot%\system32\GroupPolicy), this is what I get afterward when I run cacls/xcacls:



C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)(DENY)(special access:)

                                                     DELETE
                                                     READ_CONTROL
                                                     WRITE_DAC
                                                     WRITE_OWNER
                                                     STANDARD_RIGHTS_REQUIRED
                                                     FILE_READ_DATA
                                                     FILE_WRITE_DATA
                                                     FILE_APPEND_DATA
                                                     FILE_READ_EA
                                                     FILE_WRITE_EA
                                                     FILE_EXECUTE
                                                     FILE_DELETE_CHILD
                                                     FILE_READ_ATTRIBUTES
                                                     FILE_WRITE_ATTRIBUTES
 
                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F



When I try to deny access using either cacls or xcalcs, I get this:



C:\WINNT\system32>xcacls GroupPolicy /e /d administrators
processed directory: C:\WINNT\system32\GroupPolicy

C:\WINNT\system32>xcacls GroupPolicy
C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)N
                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F



Note that the BUILTIN\Administrators have "None" privileges instead of "Deny" privileges.  When I look at the Explorer Security tab, however, it shows all permissions as "Deny."

Here's the reason I'm doing all this:  I'm using local Group Policy (gpedit.msc) to lock down the workstations, but I don't want the lockdown to apply to the Administrators.  I understand that if I deny Administrators Read access to the %SystemRoot%\system32\GroupPolicy directory, then the local group policy will not apply to the Administrators (http://www.jsifaq.com/sube/tip2400/rh2492.htm).  This all works fine when I deny access via the Explorer Security tab, but I can't get it to work using the cacls/xcacls commands.

Thanks for any help.
0
Comment
Question by:cme12345
2 Comments
 
LVL 1

Accepted Solution

by:
lacams earned 125 total points
ID: 9613325
You can try with the tool : subinacl.exe

download site : http://www.petri.co.il/download_free_reskit_tools.htm
0
 

Author Comment

by:cme12345
ID: 9616920
I figured out how to do this using cacls.exe.  It turns out I was getting caught up in the quagmire of inherited folder permissions by specifying only the directory name and not using the /t parameter.

To open up permissions on the contents of the GroupPolicy folder so that I can run gpedit.msc, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /g administrators:f

To deny administrators permissions so that the group policy settings don't not take effect, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /d administrators

Thanks to "lacams" for suggesting subinacl.exe.  It opened my eyes to the directory permission inheritance issues.  For that he gets points.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question