Solved

cacls to icacls/powershell

Posted on 2013-01-17
8
2,204 Views
Last Modified: 2013-01-18
I can restrict access to a file like so with cacls:

echo Y|cacls "C:\Program Files\SomeProgram\SomeFile.exe" /p administrators:F
cacls "C:\Program Files\SomeProgram\SomeFile.exe" /e /g "corp\domain admins":F
cacls "C:\Program Files\SomeProgram\SomeFile.exe" /e /g "corp\dotnetdev":F

Open in new window


How can I duplicate this result with icacls or powershell?
0
Comment
Question by:Marketing_Insists
  • 4
  • 2
  • 2
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 38790026
0
 
LVL 39

Expert Comment

by:footech
ID: 38794495
For icacls, syntax is pretty much the same as cacls.
icacls folderORfile /grant:r Administrators:F
icacls folderORfile /grant "corp\Domain Admins":F
icacls folderORfile /grant "corp\dotnetdev":F

Open in new window

0
 

Author Comment

by:Marketing_Insists
ID: 38795025
This is what my original cacls command did:
what old cacls does
0
 

Author Comment

by:Marketing_Insists
ID: 38795030
@Sunburn
I almost have it, but I can't delete the permissions in the middle part of the script,

$file = "C:\Program Files\SomeProgram\SomeFile.exe"

# Below Deletes inheritance, hurray!
$acl = get-acl $file
$isProtected = $true 
$preserveInheritance = $false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
Set-Acl -Path $file -AclObject $acl 

#can't delete permissions, booo!
$acl = get-acl $file
$account = new-object system.security.principal.ntaccount("*")
$acl.purgeaccessrules($account)
set-acl -aclobject $acl -path $file

# below would be releveant if the above worked
$array = @("administrators","corp\domain admins","corp\dotnetdev")

foreach ($element in $array) {
  $permission = $element,"FullControl","Allow"
  $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  $acl | Set-Acl $file
}

Open in new window

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Marketing_Insists
ID: 38795040
@footech
 That grants permissions, but I can't figure out how to delete the remaining permissions.  the  /remove seems to require explicit user\group specifications, so the below wouldn't work either.
 icacls "C:\Program Files\SomeProgram\SomeFile.exe" /remove:g
 icacls "C:\Program Files\SomeProgram\SomeFile.exe" /remove:g *

Open in new window

0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 38795116
If they are explicit permissions that have to be removed, then yes you have to specify the user/group/SID.  But if they're inherited permissions then you can use "/inheritance:r" to remove them all.
icacls "C:\Program Files\SomeProgram\SomeFile.exe" /inheritance:r
This switch doesn't have to used on it's own either, you could run everything with one line.
icacls "C:\Program Files\SomeProgram\SomeFile.exe" /inheritance:r /grant Administrators:F /grant "corp\Domain Admins":F /grant "corp\dotnetdev":F

Open in new window

0
 

Author Closing Comment

by:Marketing_Insists
ID: 38795156
Thanks!  this did it
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38795280
With PowerShell you can try something like this..
$file = "C:\Program Files\SomeProgram\SomeFile.exe"
$acl = get-acl $file

$acl.Access | % {
          $acl.purgeaccessrules($_.IdentityReference)
          Set-Acl -AclObject $acl -path $file -ErrorAction SilentlyContinue
}

$array = @("administrators","corp\domain admins","corp\dotnetdev")

foreach ($element in $array) {
  $permission = $element,"FullControl","Allow"
  $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  $acl | Set-Acl $file
}

$isProtected = $true 
$preserveInheritance = $false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
Set-Acl -Path $file -AclObject $acl

Open in new window

0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
This article will help you understand what HashTables are and how to use them in PowerShell.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now