Setting NTFS permissions: is icacls.exe the best method ?


I'm troubleshooting bat files from the IT guy who just retired.  

It uses XCACLS.EXE to set permissions to folders and subfolders.

It seems not to be working and some preliminary research suggests that tool is old-school and not meant for 2012/2016.

The old bat file contains statements like these:
xcacls.exe %1\01_DOCS\01_CONFID /T    /G ADMN_PH:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G PM_GROUP:C /Y
xcacls.exe %1\01_DOCS\01_CONFID /T /E /G SVCS_PH:F /Y

I see references to: icacls.exe  but wasn't sure it there's even a newer technique / tool that should be used.

For icacls.exe, I see references to SID's but we only want to apply permissions to security groups.

I see that icalcls.exe is built into 2016 so I guess that's the best.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

icacls is fine, yes.
If you feel you should reuse his scripts, try to use the updates xcacls.vbs instead of xcacls.exe. See (downloadlink included).
mike2401Author Commented:

I'm tinkering with icacls.exe now.  

I see that Xcacls.vbs is only compatible with Microsoft Windows 2000, with Microsoft Windows XP, and with Microsoft Windows Server 2003. Xcacls.vbs is not supported by Microsoft.
From what I can remember (so try this on a test director first ...), this should be the icacls equivalent to your xcacls commands above.
icacls.exe "%1\01_DOCS\01_CONFID" /T /grant:r ADMN_PH:M
icacls.exe "%1\01_DOCS\01_CONFID" /T /grant   PM_GROUP:M
icacls.exe "%1\01_DOCS\01_CONFID" /T /grant   SVCS_PH:F

Open in new window

As far as I see references to SID's but we only want to apply permissions to security groups is concerned, see the note at the end of icacls /?:

    Sids may be in either numerical or friendly name form. If a numerical
    form is given, affix a * to the start of the SID.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

Yep. It's not supported and you'd be using it at your own risk. Found it just worth mentioning as it is possibly worth trying to find out what your predecessor's scripts did and it's newer than the old .exe version.
mike2401Author Commented:
Wow @oBdA: That's awesome!

I was hoping the :r on the first statement would have removed all pre-existing permissions but it didn't.

I see from the documentation that:

"Grant access rights, with :r, the permissions will replace any previouly granted explicit permissions (for the given user)."

What's the best approach to wipe away all the permissions before assigning the new ones?

Thanks so much!

mike2401Author Commented:
Looks like this works:

rem: remove all permissions
ICACLS "f:\test\proj1234" /reset /T /C /L /Q

(I'll do it first)
It will remove explicit permissions, but not inherited ones.
To remove inherited permissions as well, you can add

Open in new window

to the command ("/inheritance:d" to copy the inherited ones as now explicit ones)
icacls.exe "%1\01_DOCS\01_CONFID" /T /inheritance:r /grant:r ADMN_PH:M

Open in new window

The account running this should be Owner of the folder, otherwise he won't be able to change the permissions anymore after that command!
mike2401Author Commented:
You rock @oBdA!!!!

I really can't thank you enough.  

There's so much stuff in the brain of the guy who retired and I'm under a lot of pressure trying to get everything squared away.

This was a huge help!!

mike2401Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.