Hi, I have a Windows 2012 R2 file server that's showing some odd behaviour. I need to apply an NTFS permission to a bunch of folders so I would prefer to do it via a script than via the GUI.
The permission is: Deny, Domain Users, Delete, This Folder Only.
I can apply the permission to the folder using the GUI (Advanced Security Settings) with no problems.
However, when I apply the permission using ICACLS, suddenly everybody in Domain Users gets an 'Access is denied' error when they try to open the folder!
The ICACLS command I'm using is ICACLS "<foldername>" /deny "Domain Users":(d)
The ICACLS command executes successfully, and when I check the folder permissions in the GUI afterwards, they look identical to how they look when I use the GUI to add the permission.
I even ran an NTFS permissions report on the folder when the permission is set via GUI and another when it's set via ICACLS. I compared the two permissions reports in Excel, and the reports are completely identical (apart from the cell containing with the report date and time of course).
So why on earth is it that the domain users have no problem opening the folder when it's set via GUI, but get 'Access Denied' when it's set via ICACLS?? I'm mystified. So is Dr Google. Has anyone else encountered this behaviour after using ICACLS? How can I fix the problem? I don't want to have to use the GUI - I need to add the permission to dozens of folders. It would take ages.
Any suggestions welcome. Thank you! :)
Deny is overriding, supersedes all other settings,
I think your issue is that you are missing the /e option that deals/sets that you are editing the file ACL versus creating a new based on the parameters you provide on the command line.
Run icacls folder to see the permissions after your change.
Xcacls has a more granular control...
Double check the application of your restrictions....