Solved

cacls to icacls/powershell

Posted on 2013-01-17
8
2,189 Views
Last Modified: 2013-01-18
I can restrict access to a file like so with cacls:

echo Y|cacls "C:\Program Files\SomeProgram\SomeFile.exe" /p administrators:F
cacls "C:\Program Files\SomeProgram\SomeFile.exe" /e /g "corp\domain admins":F
cacls "C:\Program Files\SomeProgram\SomeFile.exe" /e /g "corp\dotnetdev":F

Open in new window


How can I duplicate this result with icacls or powershell?
0
Comment
Question by:Marketing_Insists
  • 4
  • 2
  • 2
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 38790026
0
 
LVL 39

Expert Comment

by:footech
ID: 38794495
For icacls, syntax is pretty much the same as cacls.
icacls folderORfile /grant:r Administrators:F
icacls folderORfile /grant "corp\Domain Admins":F
icacls folderORfile /grant "corp\dotnetdev":F

Open in new window

0
 

Author Comment

by:Marketing_Insists
ID: 38795025
This is what my original cacls command did:
what old cacls does
0
 

Author Comment

by:Marketing_Insists
ID: 38795030
@Sunburn
I almost have it, but I can't delete the permissions in the middle part of the script,

$file = "C:\Program Files\SomeProgram\SomeFile.exe"

# Below Deletes inheritance, hurray!
$acl = get-acl $file
$isProtected = $true 
$preserveInheritance = $false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
Set-Acl -Path $file -AclObject $acl 

#can't delete permissions, booo!
$acl = get-acl $file
$account = new-object system.security.principal.ntaccount("*")
$acl.purgeaccessrules($account)
set-acl -aclobject $acl -path $file

# below would be releveant if the above worked
$array = @("administrators","corp\domain admins","corp\dotnetdev")

foreach ($element in $array) {
  $permission = $element,"FullControl","Allow"
  $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  $acl | Set-Acl $file
}

Open in new window

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Marketing_Insists
ID: 38795040
@footech
 That grants permissions, but I can't figure out how to delete the remaining permissions.  the  /remove seems to require explicit user\group specifications, so the below wouldn't work either.
 icacls "C:\Program Files\SomeProgram\SomeFile.exe" /remove:g
 icacls "C:\Program Files\SomeProgram\SomeFile.exe" /remove:g *

Open in new window

0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 38795116
If they are explicit permissions that have to be removed, then yes you have to specify the user/group/SID.  But if they're inherited permissions then you can use "/inheritance:r" to remove them all.
icacls "C:\Program Files\SomeProgram\SomeFile.exe" /inheritance:r
This switch doesn't have to used on it's own either, you could run everything with one line.
icacls "C:\Program Files\SomeProgram\SomeFile.exe" /inheritance:r /grant Administrators:F /grant "corp\Domain Admins":F /grant "corp\dotnetdev":F

Open in new window

0
 

Author Closing Comment

by:Marketing_Insists
ID: 38795156
Thanks!  this did it
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38795280
With PowerShell you can try something like this..
$file = "C:\Program Files\SomeProgram\SomeFile.exe"
$acl = get-acl $file

$acl.Access | % {
          $acl.purgeaccessrules($_.IdentityReference)
          Set-Acl -AclObject $acl -path $file -ErrorAction SilentlyContinue
}

$array = @("administrators","corp\domain admins","corp\dotnetdev")

foreach ($element in $array) {
  $permission = $element,"FullControl","Allow"
  $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  $acl | Set-Acl $file
}

$isProtected = $true 
$preserveInheritance = $false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
Set-Acl -Path $file -AclObject $acl

Open in new window

0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Set OWA language and time zone in Exchange for individuals, all users or per database.
Synchronize a new Active Directory domain with an existing Office 365 tenant
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now