Solved

cacls to icacls/powershell

Posted on 2013-01-17
8
2,218 Views
Last Modified: 2013-01-18
I can restrict access to a file like so with cacls:

echo Y|cacls "C:\Program Files\SomeProgram\SomeFile.exe" /p administrators:F
cacls "C:\Program Files\SomeProgram\SomeFile.exe" /e /g "corp\domain admins":F
cacls "C:\Program Files\SomeProgram\SomeFile.exe" /e /g "corp\dotnetdev":F

Open in new window


How can I duplicate this result with icacls or powershell?
0
Comment
Question by:Marketing_Insists
  • 4
  • 2
  • 2
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 38790026
0
 
LVL 39

Expert Comment

by:footech
ID: 38794495
For icacls, syntax is pretty much the same as cacls.
icacls folderORfile /grant:r Administrators:F
icacls folderORfile /grant "corp\Domain Admins":F
icacls folderORfile /grant "corp\dotnetdev":F

Open in new window

0
 

Author Comment

by:Marketing_Insists
ID: 38795025
This is what my original cacls command did:
what old cacls does
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 

Author Comment

by:Marketing_Insists
ID: 38795030
@Sunburn
I almost have it, but I can't delete the permissions in the middle part of the script,

$file = "C:\Program Files\SomeProgram\SomeFile.exe"

# Below Deletes inheritance, hurray!
$acl = get-acl $file
$isProtected = $true 
$preserveInheritance = $false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
Set-Acl -Path $file -AclObject $acl 

#can't delete permissions, booo!
$acl = get-acl $file
$account = new-object system.security.principal.ntaccount("*")
$acl.purgeaccessrules($account)
set-acl -aclobject $acl -path $file

# below would be releveant if the above worked
$array = @("administrators","corp\domain admins","corp\dotnetdev")

foreach ($element in $array) {
  $permission = $element,"FullControl","Allow"
  $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  $acl | Set-Acl $file
}

Open in new window

0
 

Author Comment

by:Marketing_Insists
ID: 38795040
@footech
 That grants permissions, but I can't figure out how to delete the remaining permissions.  the  /remove seems to require explicit user\group specifications, so the below wouldn't work either.
 icacls "C:\Program Files\SomeProgram\SomeFile.exe" /remove:g
 icacls "C:\Program Files\SomeProgram\SomeFile.exe" /remove:g *

Open in new window

0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 38795116
If they are explicit permissions that have to be removed, then yes you have to specify the user/group/SID.  But if they're inherited permissions then you can use "/inheritance:r" to remove them all.
icacls "C:\Program Files\SomeProgram\SomeFile.exe" /inheritance:r
This switch doesn't have to used on it's own either, you could run everything with one line.
icacls "C:\Program Files\SomeProgram\SomeFile.exe" /inheritance:r /grant Administrators:F /grant "corp\Domain Admins":F /grant "corp\dotnetdev":F

Open in new window

0
 

Author Closing Comment

by:Marketing_Insists
ID: 38795156
Thanks!  this did it
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38795280
With PowerShell you can try something like this..
$file = "C:\Program Files\SomeProgram\SomeFile.exe"
$acl = get-acl $file

$acl.Access | % {
          $acl.purgeaccessrules($_.IdentityReference)
          Set-Acl -AclObject $acl -path $file -ErrorAction SilentlyContinue
}

$array = @("administrators","corp\domain admins","corp\dotnetdev")

foreach ($element in $array) {
  $permission = $element,"FullControl","Allow"
  $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  $acl | Set-Acl $file
}

$isProtected = $true 
$preserveInheritance = $false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
Set-Acl -Path $file -AclObject $acl

Open in new window

0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question