Solved

How to use cacls/xcacls to deny permissions (similar to features available on Security tab)

Posted on 2003-10-23
2
3,615 Views
Last Modified: 2013-12-04
I'm running Win2k Pro (SP4) in a workgroup (non-domain) environment.  When I use the Explorer Security tab to deny Administrator permissions (Full Control) to a directory (%SystemRoot%\system32\GroupPolicy), this is what I get afterward when I run cacls/xcacls:



C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)(DENY)(special access:)

                                                     DELETE
                                                     READ_CONTROL
                                                     WRITE_DAC
                                                     WRITE_OWNER
                                                     STANDARD_RIGHTS_REQUIRED
                                                     FILE_READ_DATA
                                                     FILE_WRITE_DATA
                                                     FILE_APPEND_DATA
                                                     FILE_READ_EA
                                                     FILE_WRITE_EA
                                                     FILE_EXECUTE
                                                     FILE_DELETE_CHILD
                                                     FILE_READ_ATTRIBUTES
                                                     FILE_WRITE_ATTRIBUTES
 
                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F



When I try to deny access using either cacls or xcalcs, I get this:



C:\WINNT\system32>xcacls GroupPolicy /e /d administrators
processed directory: C:\WINNT\system32\GroupPolicy

C:\WINNT\system32>xcacls GroupPolicy
C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)N
                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F



Note that the BUILTIN\Administrators have "None" privileges instead of "Deny" privileges.  When I look at the Explorer Security tab, however, it shows all permissions as "Deny."

Here's the reason I'm doing all this:  I'm using local Group Policy (gpedit.msc) to lock down the workstations, but I don't want the lockdown to apply to the Administrators.  I understand that if I deny Administrators Read access to the %SystemRoot%\system32\GroupPolicy directory, then the local group policy will not apply to the Administrators (http://www.jsifaq.com/sube/tip2400/rh2492.htm).  This all works fine when I deny access via the Explorer Security tab, but I can't get it to work using the cacls/xcacls commands.

Thanks for any help.
0
Comment
Question by:cme12345
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
lacams earned 125 total points
ID: 9613325
You can try with the tool : subinacl.exe

download site : http://www.petri.co.il/download_free_reskit_tools.htm
0
 

Author Comment

by:cme12345
ID: 9616920
I figured out how to do this using cacls.exe.  It turns out I was getting caught up in the quagmire of inherited folder permissions by specifying only the directory name and not using the /t parameter.

To open up permissions on the contents of the GroupPolicy folder so that I can run gpedit.msc, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /g administrators:f

To deny administrators permissions so that the group policy settings don't not take effect, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /d administrators

Thanks to "lacams" for suggesting subinacl.exe.  It opened my eyes to the directory permission inheritance issues.  For that he gets points.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question