Setting NTFS permissions: is icacls.exe the best method ?

mike2401
mike2401 used Ask the Experts™
on
Hello.

I'm troubleshooting bat files from the IT guy who just retired.  

It uses XCACLS.EXE to set permissions to folders and subfolders.

It seems not to be working and some preliminary research suggests that tool is old-school and not meant for 2012/2016.

The old bat file contains statements like these:
xcacls.exe %1\01_DOCS\01_CONFID /T    /G ADMN_PH:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G PM_GROUP:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G SVCS_PH:F /Y

I see references to: icacls.exe  but wasn't sure it there's even a newer technique / tool that should be used.

For icacls.exe, I see references to SID's but we only want to apply permissions to security groups.

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

I see that icalcls.exe is built into 2016 so I guess that's the best.

Thoughts?

Thanks,
Mike
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
icacls is fine, yes.
If you feel you should reuse his scripts, try to use the updates xcacls.vbs instead of xcacls.exe. See https://support.microsoft.com/en-us/help/825751/how-to-use-xcacls-vbs-to-modify-ntfs-permissions (downloadlink included).

Author

Commented:
Thanks.  

I'm tinkering with icacls.exe now.  

I see that Xcacls.vbs is only compatible with Microsoft Windows 2000, with Microsoft Windows XP, and with Microsoft Windows Server 2003. Xcacls.vbs is not supported by Microsoft.
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
From what I can remember (so try this on a test director first ...), this should be the icacls equivalent to your xcacls commands above.
icacls.exe "%1\01_DOCS\01_CONFID" /T /grant:r ADMN_PH:M
icacls.exe "%1\01_DOCS\01_CONFID" /T /grant   PM_GROUP:M
icacls.exe "%1\01_DOCS\01_CONFID" /T /grant   SVCS_PH:F

Open in new window

As far as I see references to SID's but we only want to apply permissions to security groups is concerned, see the note at the end of icacls /?:

Note:
    Sids may be in either numerical or friendly name form. If a numerical
    form is given, affix a * to the start of the SID.
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Distinguished Expert 2018

Commented:
Yep. It's not supported and you'd be using it at your own risk. Found it just worth mentioning as it is possibly worth trying to find out what your predecessor's scripts did and it's newer than the old .exe version.

Author

Commented:
Wow @oBdA: That's awesome!

I was hoping the :r on the first statement would have removed all pre-existing permissions but it didn't.

I see from the documentation that:

"Grant access rights, with :r, the permissions will replace any previouly granted explicit permissions (for the given user)."

What's the best approach to wipe away all the permissions before assigning the new ones?

Thanks so much!

Mike

Author

Commented:
Looks like this works:

rem: remove all permissions
ICACLS "f:\test\proj1234" /reset /T /C /L /Q

(I'll do it first)
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
It will remove explicit permissions, but not inherited ones.
To remove inherited permissions as well, you can add
/inheritance:r

Open in new window

to the command ("/inheritance:d" to copy the inherited ones as now explicit ones)
icacls.exe "%1\01_DOCS\01_CONFID" /T /inheritance:r /grant:r ADMN_PH:M

Open in new window

The account running this should be Owner of the folder, otherwise he won't be able to change the permissions anymore after that command!

Author

Commented:
You rock @oBdA!!!!

I really can't thank you enough.  

There's so much stuff in the brain of the guy who retired and I'm under a lot of pressure trying to get everything squared away.

This was a huge help!!

-Mike

Author

Commented:
Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial