We help IT Professionals succeed at work.

Setting NTFS permissions: is icacls.exe the best method ?

397 Views
Last Modified: 2019-02-18
Hello.

I'm troubleshooting bat files from the IT guy who just retired.  

It uses XCACLS.EXE to set permissions to folders and subfolders.

It seems not to be working and some preliminary research suggests that tool is old-school and not meant for 2012/2016.

The old bat file contains statements like these:
xcacls.exe %1\01_DOCS\01_CONFID /T    /G ADMN_PH:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G PM_GROUP:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G SVCS_PH:F /Y

I see references to: icacls.exe  but wasn't sure it there's even a newer technique / tool that should be used.

For icacls.exe, I see references to SID's but we only want to apply permissions to security groups.

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

I see that icalcls.exe is built into 2016 so I guess that's the best.

Thoughts?

Thanks,
Mike
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
icacls is fine, yes.
If you feel you should reuse his scripts, try to use the updates xcacls.vbs instead of xcacls.exe. See https://support.microsoft.com/en-us/help/825751/how-to-use-xcacls-vbs-to-modify-ntfs-permissions (downloadlink included).

Author

Commented:
Thanks.  

I'm tinkering with icacls.exe now.  

I see that Xcacls.vbs is only compatible with Microsoft Windows 2000, with Microsoft Windows XP, and with Microsoft Windows Server 2003. Xcacls.vbs is not supported by Microsoft.
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Yep. It's not supported and you'd be using it at your own risk. Found it just worth mentioning as it is possibly worth trying to find out what your predecessor's scripts did and it's newer than the old .exe version.

Author

Commented:
Wow @oBdA: That's awesome!

I was hoping the :r on the first statement would have removed all pre-existing permissions but it didn't.

I see from the documentation that:

"Grant access rights, with :r, the permissions will replace any previouly granted explicit permissions (for the given user)."

What's the best approach to wipe away all the permissions before assigning the new ones?

Thanks so much!

Mike

Author

Commented:
Looks like this works:

rem: remove all permissions
ICACLS "f:\test\proj1234" /reset /T /C /L /Q

(I'll do it first)
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
It will remove explicit permissions, but not inherited ones.
To remove inherited permissions as well, you can add
/inheritance:r

Open in new window

to the command ("/inheritance:d" to copy the inherited ones as now explicit ones)
icacls.exe "%1\01_DOCS\01_CONFID" /T /inheritance:r /grant:r ADMN_PH:M

Open in new window

The account running this should be Owner of the folder, otherwise he won't be able to change the permissions anymore after that command!

Author

Commented:
You rock @oBdA!!!!

I really can't thank you enough.  

There's so much stuff in the brain of the guy who retired and I'm under a lot of pressure trying to get everything squared away.

This was a huge help!!

-Mike

Author

Commented:
Thanks!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions