Solved

How to use cacls/xcacls to deny permissions (similar to features available on Security tab)

Posted on 2003-10-23
2
3,599 Views
Last Modified: 2013-12-04
I'm running Win2k Pro (SP4) in a workgroup (non-domain) environment.  When I use the Explorer Security tab to deny Administrator permissions (Full Control) to a directory (%SystemRoot%\system32\GroupPolicy), this is what I get afterward when I run cacls/xcacls:



C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)(DENY)(special access:)

                                                     DELETE
                                                     READ_CONTROL
                                                     WRITE_DAC
                                                     WRITE_OWNER
                                                     STANDARD_RIGHTS_REQUIRED
                                                     FILE_READ_DATA
                                                     FILE_WRITE_DATA
                                                     FILE_APPEND_DATA
                                                     FILE_READ_EA
                                                     FILE_WRITE_EA
                                                     FILE_EXECUTE
                                                     FILE_DELETE_CHILD
                                                     FILE_READ_ATTRIBUTES
                                                     FILE_WRITE_ATTRIBUTES
 
                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F



When I try to deny access using either cacls or xcalcs, I get this:



C:\WINNT\system32>xcacls GroupPolicy /e /d administrators
processed directory: C:\WINNT\system32\GroupPolicy

C:\WINNT\system32>xcacls GroupPolicy
C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)N
                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F



Note that the BUILTIN\Administrators have "None" privileges instead of "Deny" privileges.  When I look at the Explorer Security tab, however, it shows all permissions as "Deny."

Here's the reason I'm doing all this:  I'm using local Group Policy (gpedit.msc) to lock down the workstations, but I don't want the lockdown to apply to the Administrators.  I understand that if I deny Administrators Read access to the %SystemRoot%\system32\GroupPolicy directory, then the local group policy will not apply to the Administrators (http://www.jsifaq.com/sube/tip2400/rh2492.htm).  This all works fine when I deny access via the Explorer Security tab, but I can't get it to work using the cacls/xcacls commands.

Thanks for any help.
0
Comment
Question by:cme12345
2 Comments
 
LVL 1

Accepted Solution

by:
lacams earned 125 total points
ID: 9613325
You can try with the tool : subinacl.exe

download site : http://www.petri.co.il/download_free_reskit_tools.htm
0
 

Author Comment

by:cme12345
ID: 9616920
I figured out how to do this using cacls.exe.  It turns out I was getting caught up in the quagmire of inherited folder permissions by specifying only the directory name and not using the /t parameter.

To open up permissions on the contents of the GroupPolicy folder so that I can run gpedit.msc, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /g administrators:f

To deny administrators permissions so that the group policy settings don't not take effect, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /d administrators

Thanks to "lacams" for suggesting subinacl.exe.  It opened my eyes to the directory permission inheritance issues.  For that he gets points.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question