Solved

Commmand line Windows ACLs - copy inheritance, remove group and add another group

Posted on 2010-09-17
6
1,562 Views
Last Modified: 2013-12-04
I'm in need of a simple way of setting the following on a folder. The procedure I use in the GUI is as follows::

- Stop inheritance but copy all the rights
- Remove "Users" group
- Add "Z USERS" to the ACL with everything but full control

I know xcopy can copy permissions but that proved to break very easily as it copy some unwanted ACLs from the source as well and these can be removed as the entire ACL is marked as inherited.

I would much prefer to use something that comes with XP/w2k3 or the resources kits as I have a batch script that does everything but this part.
0
Comment
Question by:saL1Las
  • 4
  • 2
6 Comments
 
LVL 3

Expert Comment

by:latchways
ID: 33700136
Check out CACLS.exe http://ss64.com/nt/cacls.html
0
 
LVL 3

Author Comment

by:saL1Las
ID: 33700195
I have tried CACLS and XACLS but have not been able to get them to do what I am after - I feel I missed something but any idea on the switches?
0
 
LVL 3

Accepted Solution

by:
latchways earned 200 total points
ID: 33700352
Try XCACLS.vbs http://support.microsoft.com/kb/825751

with

xcacls.vbs <foldername> /T /E /I REMOVE /R "domain.com\domain users" /G "domain.com\z users":M
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:saL1Las
ID: 33700434
Very close...but there was a typo.

xcacls.vbs <foldername> /T /E /I COPY /R "domain.com\domain users" /G "domain.com\z users":M

Should be copy and not remove.

Let me quickly throw this into a batch script and see if this works...I didn't realize there was VBS of xcacls but so long as I can integrate it into my current do it all batch script, I'm sorted.
0
 
LVL 3

Author Comment

by:saL1Las
ID: 33700652
I've tested it in my master script and for those who'd like to know please do the following:

Please xcacls.exe and XACLS.vbs on a file share that can be accessed and in the same folder.

To copy inheritance, remove specific permission and then add your own with all but full access:

cscript "\\myserver\myshare\myfolder\xcacls.vbs" <foldername> /T /E /I COPY /R "domain.com\domain users" /G "domain.com\z users":M

If you want to be explicity, replace the M at the end with one of the following:
F  Full control
M  Modify
X  read & eXecute
L  List folder contents
R  Read
W  Write

Alternatively, if you want to keep the inheritance as is and just add a security group, change copy to enable:

cscript "\\myserver\myshare\myfolder\xcacls.vbs" <foldername> /T /E /I ENABLE /R "domain.com\domain users" /G "domain.com\z users":M

You can add /Q to the end of either of the above to suppress all the text.

If you need to check for more options

cscript "\\myserver\myshare\myfolder\xcacls.vbs" /?

Sorted!
0
 
LVL 3

Author Closing Comment

by:saL1Las
ID: 33700668
See my last post for full solution.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now