Link to home
Start Free TrialLog in
Avatar of mike2401
mike2401Flag for United States of America

asked on

Setting NTFS permissions: is icacls.exe the best method ?

Hello.

I'm troubleshooting bat files from the IT guy who just retired.  

It uses XCACLS.EXE to set permissions to folders and subfolders.

It seems not to be working and some preliminary research suggests that tool is old-school and not meant for 2012/2016.

The old bat file contains statements like these:
xcacls.exe %1\01_DOCS\01_CONFID /T    /G ADMN_PH:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G PM_GROUP:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G SVCS_PH:F /Y

I see references to: icacls.exe  but wasn't sure it there's even a newer technique / tool that should be used.

For icacls.exe, I see references to SID's but we only want to apply permissions to security groups.

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

I see that icalcls.exe is built into 2016 so I guess that's the best.

Thoughts?

Thanks,
Mike
Avatar of McKnife
McKnife
Flag of Germany image

icacls is fine, yes.
If you feel you should reuse his scripts, try to use the updates xcacls.vbs instead of xcacls.exe. See https://support.microsoft.com/en-us/help/825751/how-to-use-xcacls-vbs-to-modify-ntfs-permissions (downloadlink included).
Avatar of mike2401

ASKER

Thanks.  

I'm tinkering with icacls.exe now.  

I see that Xcacls.vbs is only compatible with Microsoft Windows 2000, with Microsoft Windows XP, and with Microsoft Windows Server 2003. Xcacls.vbs is not supported by Microsoft.
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yep. It's not supported and you'd be using it at your own risk. Found it just worth mentioning as it is possibly worth trying to find out what your predecessor's scripts did and it's newer than the old .exe version.
Wow @oBdA: That's awesome!

I was hoping the :r on the first statement would have removed all pre-existing permissions but it didn't.

I see from the documentation that:

"Grant access rights, with :r, the permissions will replace any previouly granted explicit permissions (for the given user)."

What's the best approach to wipe away all the permissions before assigning the new ones?

Thanks so much!

Mike
Looks like this works:

rem: remove all permissions
ICACLS "f:\test\proj1234" /reset /T /C /L /Q

(I'll do it first)
Avatar of oBdA
oBdA

It will remove explicit permissions, but not inherited ones.
To remove inherited permissions as well, you can add
/inheritance:r

Open in new window

to the command ("/inheritance:d" to copy the inherited ones as now explicit ones)
icacls.exe "%1\01_DOCS\01_CONFID" /T /inheritance:r /grant:r ADMN_PH:M

Open in new window

The account running this should be Owner of the folder, otherwise he won't be able to change the permissions anymore after that command!
You rock @oBdA!!!!

I really can't thank you enough.  

There's so much stuff in the brain of the guy who retired and I'm under a lot of pressure trying to get everything squared away.

This was a huge help!!

-Mike
Thanks!