Avatar of mike2401
mike2401
Flag for United States of America asked on

Setting NTFS permissions: is icacls.exe the best method ?

Hello.

I'm troubleshooting bat files from the IT guy who just retired.  

It uses XCACLS.EXE to set permissions to folders and subfolders.

It seems not to be working and some preliminary research suggests that tool is old-school and not meant for 2012/2016.

The old bat file contains statements like these:
xcacls.exe %1\01_DOCS\01_CONFID /T    /G ADMN_PH:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G PM_GROUP:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G SVCS_PH:F /Y

I see references to: icacls.exe  but wasn't sure it there's even a newer technique / tool that should be used.

For icacls.exe, I see references to SID's but we only want to apply permissions to security groups.

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

I see that icalcls.exe is built into 2016 so I guess that's the best.

Thoughts?

Thanks,
Mike
Windows 10Windows Server 2016* NTFSWindows Server 2012Security

Avatar of undefined
Last Comment
mike2401

8/22/2022 - Mon
McKnife

icacls is fine, yes.
If you feel you should reuse his scripts, try to use the updates xcacls.vbs instead of xcacls.exe. See https://support.microsoft.com/en-us/help/825751/how-to-use-xcacls-vbs-to-modify-ntfs-permissions (downloadlink included).
mike2401

ASKER
Thanks.  

I'm tinkering with icacls.exe now.  

I see that Xcacls.vbs is only compatible with Microsoft Windows 2000, with Microsoft Windows XP, and with Microsoft Windows Server 2003. Xcacls.vbs is not supported by Microsoft.
ASKER CERTIFIED SOLUTION
oBdA

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
McKnife

Yep. It's not supported and you'd be using it at your own risk. Found it just worth mentioning as it is possibly worth trying to find out what your predecessor's scripts did and it's newer than the old .exe version.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
mike2401

ASKER
Wow @oBdA: That's awesome!

I was hoping the :r on the first statement would have removed all pre-existing permissions but it didn't.

I see from the documentation that:

"Grant access rights, with :r, the permissions will replace any previouly granted explicit permissions (for the given user)."

What's the best approach to wipe away all the permissions before assigning the new ones?

Thanks so much!

Mike
mike2401

ASKER
Looks like this works:

rem: remove all permissions
ICACLS "f:\test\proj1234" /reset /T /C /L /Q

(I'll do it first)
oBdA

It will remove explicit permissions, but not inherited ones.
To remove inherited permissions as well, you can add
/inheritance:r

Open in new window

to the command ("/inheritance:d" to copy the inherited ones as now explicit ones)
icacls.exe "%1\01_DOCS\01_CONFID" /T /inheritance:r /grant:r ADMN_PH:M

Open in new window

The account running this should be Owner of the folder, otherwise he won't be able to change the permissions anymore after that command!
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
mike2401

ASKER
You rock @oBdA!!!!

I really can't thank you enough.  

There's so much stuff in the brain of the guy who retired and I'm under a lot of pressure trying to get everything squared away.

This was a huge help!!

-Mike
mike2401

ASKER
Thanks!