Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

How to use icacls.exe to fully enable users to subfolders/files

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 01-29-2008
Tom
 

Posts: n/a
How to use icacls.exe to fully enable users to subfolders/files
In an installer, I'm trying to use icalcs.exe on Vista to fully enable all
user access to the folder C:\ProgramData\MyApp and all subfolders & files.

Can someone help me out with the perms arguement? Specifically, I can't
figure out how to get inheritance to work so that new files and folders
inherit the full rights.

I thought the command below would work, but it won't even run:

C:\Windows\System32\icacls "C:\ProgramData\MyApp\*.*" /T /C /Grant
UsersOI,CI,MA)


Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 01-30-2008
Tom
 

Posts: n/a
Re: How to use icacls.exe to fully enable users to subfolders/files
So, now I've got the syntax right so the command at least runs:

C:\Windows\System32\icacls "C:\Junk*.*" /T /C /Grant UsersOI)(CI)(MA)

But it still doesn't seem to be working properly.

I need to set the ACL so that even if someone with admin rights creates a
file or folder in or under MyApp, users have full rights over it.


Reply With Quote
  #3 (permalink)  
Old 01-30-2008
Tom
 

Posts: n/a
Re: How to use icacls.exe to fully enable users to subfolders/files
Sorry to be clutter this thread. I've been working on this for quite some
time, and carefully reading anything I can find on the web on icacls, so
it's not that I haven't at least tried to do my homework.

Below is a command that I *think* should do what I want. I'm having trouble
with the OI and CI parameter syntax.

Any help?

iacls "C:\ProgramData\MyApp*.*" /T /C (OI) (CI) /Grant Users:F

Reply With Quote
  #4 (permalink)  
Old 01-30-2008
Jesper
 

Posts: n/a
Re: How to use icacls.exe to fully enable users to subfolders/file
First, what you are trying to do is probably a bad idea. You should not let
low-privileged users write data that is consumed by high-privileged users.

Second, MA stands for Maximum Allowed. It is not a flag you can use when
specifying permissions. It is a flag you use when to try to open an object
and you do not care what permissions you get to the object, nor about
security. In that case, as long as you have any permissions at all you get a
valid handle back with whatever permissions you have. It is virtually always
a bad idea to use MA in an any call.

Now, the syntax you want is this:
icacls object /grant userflags)(perms)

/t traverses the directory. I presume you have a brand new directory or that
you at least created everything so it inherits permissions from parents? In
that case /t is unnecessary. /c indicates that the command should continue on
file error, such as that the file is locked. More than likely you don't need
that flag either.

The folder specification you state is invalid. C:\ProgramData\MyApp*.* will
set permissions on all objects in C:\ProgramData called MyApp*.*, such as
MyAppFoo.Bar. It will not work if you have a folder called
C:\ProgramData\MyApp.

Assuming that folder was just created and all you want to do is add a
permission to it, this command would suffice:

icacls c:\programdata\myapp /grant UsersOI)(CI)M

There is lots more on icacls in the book referenced below.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Tom" wrote:

> Sorry to be clutter this thread. I've been working on this for quite some
> time, and carefully reading anything I can find on the web on icacls, so
> it's not that I haven't at least tried to do my homework.
>
> Below is a command that I *think* should do what I want. I'm having trouble
> with the OI and CI parameter syntax.
>
> Any help?
>
> iacls "C:\ProgramData\MyApp*.*" /T /C (OI) (CI) /Grant Users:F
>
>

Reply With Quote
  #5 (permalink)  
Old 01-30-2008
Tom
 

Posts: n/a
Re: How to use icacls.exe to fully enable users to subfolders/file
Thanks, Jesper!

I think I'm close to having what I need! The problem I'm trying to solve is
that I have legacy app that uses an older installer (Wise32) which I'm stuck
with for the time being. It must run, like any installer, with admin rights.

But, it doesn't know anything about the ACL. It creates a series of folders
as admin.

I want to change the entire folder tree so that all users have "Full
Control" security property set, which I believe will let them do anything
with the files/folders that they want. So, I'm not trying to let
low-privileded users write data that is consumed by high-privileged users
(although I appreciate your cautioning me against that). I just want all
users to be able to access files & folders created by an older installer.

And, I want the users group "Full Control" security setting to be inherited
by any new files or folders created in the folder tree.

From my experimentation with the syntax you gave me, I don't think it does
quite that.

Would you be so kind as to suggest syntax that would set the users group so
it has "Full Control" of all files in a tree, and this is inherited by new
files?

Thanks so much!!!

PS That's for the book reference. I've already ordered it from Amazon!

Reply With Quote
  #6 (permalink)  
Old 01-30-2008
Jesper
 

Posts: n/a
Re: How to use icacls.exe to fully enable users to subfolders/file
Yes, the syntax I gave you gives users modify permissions, not full control.
They can't change the permissions that way, but they can read, write, create
and delete. I set the OI (Object Inherit) and CI (Container Inherit) flags
too. That way any object or container that anyone creates gets these
permissions too.

The only thing I did not do is traverse it down the folder hierarchy in case
other containers and objects underneath myapp did not inherit their
permissions from the parent. There is no really easy way to do that, but you
can handle it by running this command first, before the one I gave you
earlier:
icacls c:\ProgramData\MyApp /reset /t

That will reset the permissions to the default and set the inheritance bit.
When you then run the command I gave you it should set the right permissions
on the whole hierarchy.

Hopefully this will get you there. I still think you should question why you
want users to write data to ProgramData instead of their own personal AppData
folder, but there may be a good reason there.

Oh, and let me know what you think of the book. You can reach me at
http://msinfluentials.com/blogs/jesper.



---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Tom" wrote:

> Thanks, Jesper!
>
> I think I'm close to having what I need! The problem I'm trying to solve is
> that I have legacy app that uses an older installer (Wise32) which I'm stuck
> with for the time being. It must run, like any installer, with admin rights.
>
> But, it doesn't know anything about the ACL. It creates a series of folders
> as admin.
>
> I want to change the entire folder tree so that all users have "Full
> Control" security property set, which I believe will let them do anything
> with the files/folders that they want. So, I'm not trying to let
> low-privileded users write data that is consumed by high-privileged users
> (although I appreciate your cautioning me against that). I just want all
> users to be able to access files & folders created by an older installer.
>
> And, I want the users group "Full Control" security setting to be inherited
> by any new files or folders created in the folder tree.
>
> From my experimentation with the syntax you gave me, I don't think it does
> quite that.
>
> Would you be so kind as to suggest syntax that would set the users group so
> it has "Full Control" of all files in a tree, and this is inherited by new
> files?
>
> Thanks so much!!!
>
> PS That's for the book reference. I've already ordered it from Amazon!
>
>

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Enable Power Users group in Vista? abbphan microsoft.public.windows.vista.administration accounts passwords 0 11-13-2007 18:42
Article ID: 931865 You must explicitly enable MMC snap-ins that you want to use before you enable the "Restrict users to the explicitly permitted list of snap-ins" Group Policy setting in Windows XP and in Windows Vista KBArticles English 0 10-22-2007 20:00
Users group can't run attrib.exe or subst.exe Keith Hill [MVP] microsoft.public.windows.vista.administration accounts passwords 2 09-28-2007 18:14
Users can't run subst.exe or attrib.exe ?? Keith Hill [MVP] microsoft.public.windows.vista.file management 0 09-27-2007 00:51
Head of the Free Software Foundation says GPL 3 will enable corporate users to get mo Steve Security News 0 07-09-2007 05:09




All times are GMT +1. The time now is 02:35.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120