• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1587
  • Last Modified:

Commmand line Windows ACLs - copy inheritance, remove group and add another group

I'm in need of a simple way of setting the following on a folder. The procedure I use in the GUI is as follows::

- Stop inheritance but copy all the rights
- Remove "Users" group
- Add "Z USERS" to the ACL with everything but full control

I know xcopy can copy permissions but that proved to break very easily as it copy some unwanted ACLs from the source as well and these can be removed as the entire ACL is marked as inherited.

I would much prefer to use something that comes with XP/w2k3 or the resources kits as I have a batch script that does everything but this part.
0
saL1Las
Asked:
saL1Las
  • 4
  • 2
1 Solution
 
latchwaysCommented:
Check out CACLS.exe http://ss64.com/nt/cacls.html 
0
 
saL1LasAuthor Commented:
I have tried CACLS and XACLS but have not been able to get them to do what I am after - I feel I missed something but any idea on the switches?
0
 
latchwaysCommented:
Try XCACLS.vbs http://support.microsoft.com/kb/825751 

with

xcacls.vbs <foldername> /T /E /I REMOVE /R "domain.com\domain users" /G "domain.com\z users":M
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
saL1LasAuthor Commented:
Very close...but there was a typo.

xcacls.vbs <foldername> /T /E /I COPY /R "domain.com\domain users" /G "domain.com\z users":M

Should be copy and not remove.

Let me quickly throw this into a batch script and see if this works...I didn't realize there was VBS of xcacls but so long as I can integrate it into my current do it all batch script, I'm sorted.
0
 
saL1LasAuthor Commented:
I've tested it in my master script and for those who'd like to know please do the following:

Please xcacls.exe and XACLS.vbs on a file share that can be accessed and in the same folder.

To copy inheritance, remove specific permission and then add your own with all but full access:

cscript "\\myserver\myshare\myfolder\xcacls.vbs" <foldername> /T /E /I COPY /R "domain.com\domain users" /G "domain.com\z users":M

If you want to be explicity, replace the M at the end with one of the following:
F  Full control
M  Modify
X  read & eXecute
L  List folder contents
R  Read
W  Write

Alternatively, if you want to keep the inheritance as is and just add a security group, change copy to enable:

cscript "\\myserver\myshare\myfolder\xcacls.vbs" <foldername> /T /E /I ENABLE /R "domain.com\domain users" /G "domain.com\z users":M

You can add /Q to the end of either of the above to suppress all the text.

If you need to check for more options

cscript "\\myserver\myshare\myfolder\xcacls.vbs" /?

Sorted!
0
 
saL1LasAuthor Commented:
See my last post for full solution.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now