Solved

cacls to icacls/powershell

Posted on 2013-01-17
8
2,269 Views
Last Modified: 2013-01-18
I can restrict access to a file like so with cacls:

echo Y|cacls "C:\Program Files\SomeProgram\SomeFile.exe" /p administrators:F
cacls "C:\Program Files\SomeProgram\SomeFile.exe" /e /g "corp\domain admins":F
cacls "C:\Program Files\SomeProgram\SomeFile.exe" /e /g "corp\dotnetdev":F

Open in new window


How can I duplicate this result with icacls or powershell?
0
Comment
Question by:Marketing_Insists
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 38790026
0
 
LVL 40

Expert Comment

by:footech
ID: 38794495
For icacls, syntax is pretty much the same as cacls.
icacls folderORfile /grant:r Administrators:F
icacls folderORfile /grant "corp\Domain Admins":F
icacls folderORfile /grant "corp\dotnetdev":F

Open in new window

0
 

Author Comment

by:Marketing_Insists
ID: 38795025
This is what my original cacls command did:
what old cacls does
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 

Author Comment

by:Marketing_Insists
ID: 38795030
@Sunburn
I almost have it, but I can't delete the permissions in the middle part of the script,

$file = "C:\Program Files\SomeProgram\SomeFile.exe"

# Below Deletes inheritance, hurray!
$acl = get-acl $file
$isProtected = $true 
$preserveInheritance = $false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
Set-Acl -Path $file -AclObject $acl 

#can't delete permissions, booo!
$acl = get-acl $file
$account = new-object system.security.principal.ntaccount("*")
$acl.purgeaccessrules($account)
set-acl -aclobject $acl -path $file

# below would be releveant if the above worked
$array = @("administrators","corp\domain admins","corp\dotnetdev")

foreach ($element in $array) {
  $permission = $element,"FullControl","Allow"
  $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  $acl | Set-Acl $file
}

Open in new window

0
 

Author Comment

by:Marketing_Insists
ID: 38795040
@footech
 That grants permissions, but I can't figure out how to delete the remaining permissions.  the  /remove seems to require explicit user\group specifications, so the below wouldn't work either.
 icacls "C:\Program Files\SomeProgram\SomeFile.exe" /remove:g
 icacls "C:\Program Files\SomeProgram\SomeFile.exe" /remove:g *

Open in new window

0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 38795116
If they are explicit permissions that have to be removed, then yes you have to specify the user/group/SID.  But if they're inherited permissions then you can use "/inheritance:r" to remove them all.
icacls "C:\Program Files\SomeProgram\SomeFile.exe" /inheritance:r
This switch doesn't have to used on it's own either, you could run everything with one line.
icacls "C:\Program Files\SomeProgram\SomeFile.exe" /inheritance:r /grant Administrators:F /grant "corp\Domain Admins":F /grant "corp\dotnetdev":F

Open in new window

0
 

Author Closing Comment

by:Marketing_Insists
ID: 38795156
Thanks!  this did it
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38795280
With PowerShell you can try something like this..
$file = "C:\Program Files\SomeProgram\SomeFile.exe"
$acl = get-acl $file

$acl.Access | % {
          $acl.purgeaccessrules($_.IdentityReference)
          Set-Acl -AclObject $acl -path $file -ErrorAction SilentlyContinue
}

$array = @("administrators","corp\domain admins","corp\dotnetdev")

foreach ($element in $array) {
  $permission = $element,"FullControl","Allow"
  $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  $acl | Set-Acl $file
}

$isProtected = $true 
$preserveInheritance = $false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
Set-Acl -Path $file -AclObject $acl

Open in new window

0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Set OWA language and time zone in Exchange for individuals, all users or per database.
A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question