• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Set Windows Permissions from Command Line

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Windows

View previous topic :: View next topic  
Author Message
Microsoft-Man
Just Arrived
Just Arrived


Joined: 05 May 2003
Posts: 1


Offline

PostPosted: Mon Nov 08, 2004 8:17 pm    Post subject: Set Windows Permissions from Command Line Reply with quote

Hi Guys. I really need to know how to set a folder to inherit the permissions from its parent folder, i know how to do this in the gui, but can anyone tell me how to do it via the command line?

Many thanks

Cheers

Craig
Back to top
View user's profile Send private message Visit poster's website
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Mon Nov 08, 2004 8:26 pm    Post subject: Reply with quote

xcacls from the resource kit will allow you to do it.
Back to top
View user's profile Send private message Send e-mail
Microsoft-Man
Just Arrived
Just Arrived


Joined: 05 May 2003
Posts: 1


Offline

PostPosted: Mon Nov 08, 2004 8:27 pm    Post subject: Reply with quote

Thanks for the reply mate. I have been looking at that, but cant work the syntax out.

All i want to do it make X folder inherit permissions from its parent.

I dont supppose you know what the syntax is?

Thanks in advance
Back to top
View user's profile Send private message Visit poster's website
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Mon Nov 08, 2004 8:36 pm    Post subject: Reply with quote

Hmmm... Looks like you would have to use the /t switch on the parent dir and allow it to worm it's way down. I don't see any other way offhand.


XcAcls uses the following syntax:

One Step
xcacls FileName [/t] [/e] [/x] [/c] [/g User:Permissions;Spec] [/r User] [/p User:Permissions;Spec] [...]] [/d User [...]] [/y] [/?|/h]

Parameters

FileName
Indicates the name of the file or directory to which the access control list (ACL) or access control entry (ACE) is typically applied. All standard wildcard characters can be used.
/t
Recursively walks through the current directory and all of its subdirectories, applying the chosen access rights to the matching files or directories.
/e
Edits the ACL instead of replacing it.
/x
Edits the ACL instead of replacing it; affects only the ACEs that the specified users already own.
/c
Causes XcAcls to continue if an "access denied" error occurs. If /c is omitted, XcAcls stops on this error.
/g User:Permissions;Spec
Grants User access to the matching file or directory. Permissions apply the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:
Value Description
R Read
C Change (write)
F Full Control
P Change Permissions (special access)
O Take Ownership (special access)
X Execute (special access)
E Read (Special access)
W Write (Special access)
D Delete (Special access)
T Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value)

Notes

* The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Shared resource permissions in Help and Support Services.
* All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.

/r User
Revokes all access rights for the specified user.
/p User:Permissions;Spec
Replaces access rights for User. Permissions applies the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:
Value Description
R Read
C Change (write)
F Full Control
P Change Permissions (special access)
O Take Ownership (special access)
X Execute (special access)
E Read (special access)
W Write (special access)
D Delete (special access)
T Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value.)

Notes

* The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Shared resource permissions in Help and Support Services.
* All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.

/d User
Denies the specified user access to the file or directory.
/y
Disables the confirmation when replacing user access rights. By default, XcAcls asks for confirmation. Because of this feature, when XcAcls is used in a batch routine, the routine stops responding until the right answer is entered. Use the /y parameter when you use XcAcls in batch mode.
Back to top
View user's profile Send private message Send e-mail
Microsoft-Man
Just Arrived
Just Arrived


Joined: 05 May 2003
Posts: 1


Offline

PostPosted: Mon Nov 08, 2004 8:44 pm    Post subject: Reply with quote

Thanks for the reply

i am typing

C:\>xcacls c:\test\1 /t
c:\test\1 LONDON\cjw:(OI)(CI)F

But it does not seem to be applying the permisssions to directory 1 that are set in directory test

Any ideas?
Back to top
View user's profile Send private message Visit poster's website
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Mon Nov 08, 2004 8:55 pm    Post subject: Reply with quote

I don't have a copy of xcacls available so I can't test it, but I would think that you'd need to use the /g switch as well - apply the same permissions to c:\test that already exist, but use the /t switch to copy them down the line?
Back to top
View user's profile Send private message Send e-mail
Microsoft-Man
Just Arrived
Just Arrived


Joined: 05 May 2003
Posts: 1


Offline

PostPosted: Mon Nov 08, 2004 9:29 pm    Post subject: Reply with quote

I think i have got it to work now. How can i set groups in the ACL,

When i type

C:\>xcacls c:\test\1 /g london\test:f administrator:f system:f /c /y

it puts all the users in but not the group test

Any ideas?

Thanks in advance
Back to top
View user's profile Send private message Visit poster's website
Microsoft-Man
Just Arrived
Just Arrived


Joined: 05 May 2003
Posts: 1


Offline

PostPosted: Mon Nov 08, 2004 9:29 pm    Post subject: Reply with quote

dont worry, it now works


Thanks
Back to top
View user's profile Send private message Visit poster's website
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Mon Nov 08, 2004 9:33 pm    Post subject: Reply with quote

what was the final solution?
Back to top
View user's profile Send private message Send e-mail
Microsoft-Man
Just Arrived
Just Arrived


Joined: 05 May 2003
Posts: 1


Offline

PostPosted: Tue Nov 09, 2004 12:19 am    Post subject: Reply with quote

If anyone could still let me know how to inherit permissions via this tool that would be great.

Thanks in advance
Back to top
View user's profile Send private message Visit poster's website
Crazy
Just Arrived
Just Arrived


Joined: 11 Nov 2003
Posts: 6


Offline

PostPosted: Wed Nov 10, 2004 11:09 am    Post subject: Reply with quote

hi

have you read this HOW TO: Use Xcacls.exe to Modify NTFS Permissions

Hope It is helpful

thanks
Back to top
View user's profile Send private message Visit poster's website
burnhard
Just Arrived
Just Arrived


Joined: 17 Nov 2004
Posts: 0


Offline

PostPosted: Wed Nov 17, 2004 10:50 am    Post subject: Reply with quote

hi,

i read the microsoft article but it can`t help me to know how to set the inherit flag. I don`t know if your problem is the same es mine. What i want to do is to set the inherit flag, seen in the advanced security settings in the explorer. As I wrote I can't find a solution in the microsoft article.

If you can tell me how you done it, i would be very thankful.

thanks, Bernhard
Back to top
View user's profile Send private message
dereko04011
Just Arrived
Just Arrived


Joined: 13 Oct 2004
Posts: 0
Location: Brunswick, ME

Offline

PostPosted: Thu Nov 18, 2004 4:48 am    Post subject: Reply with quote

you could just do the 'cacls' command in command prompt, i think it works i never used it though. Thanks for posting this topic i was wondering on ways how to do permissions Smile
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger
burnhard
Just Arrived
Just Arrived


Joined: 17 Nov 2004
Posts: 0


Offline

PostPosted: Thu Nov 18, 2004 9:18 am    Post subject: Reply with quote

Hi,

my problem is not how to open cacls.exe. My problem is how to change the inherit settings with cacls or xcacls
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Thu Nov 18, 2004 6:00 pm    Post subject: Reply with quote

are you trying to force them to inherit but retain some of the old ACL as well, rather than (as the GUI does) replacing completely with an inherited set?

I'm especially interested in this thread because we have a similar issue with our users' profiles and homes at the moment. Many are set up wrong and do not have the user with permissions to their own folder. This is OK as long as they are on server1 and inheriting from a parent folder with wide-open permissions ("Authenticated users in this case). We need to add the user permission to every folder (by hand or CACLS), then change the root and let the existing inheritance take this permission down the structure. Real PITA. This "works" as far as users are concerned but opens a back door to information which I find unacceptable. It also means that when we use FRS to replicate from server1 to server2 they take the implied permission set (ACL) with them rather than the "property" of inheritance so things start to go wrong.

As an exercise to see what it is doing, try copying a file or folder which inherits from its parent, to a folder with different permissions - the original set of permissions will be in force, not a set inherited from the new parent.

<NEWS FLASH> Brainwave! when you then change the new parent's permissions they are now inherited to the step-children that previously did not pick up. This doesn't necessarily help fix our problems but it explains the behaviour better - the "property" of inheritance does follow the file, but the ACL only updates if the parent changes, but then all explicit permissions are lost, just like if you force inheritance from above in the GUI. Damn,

So, the big question here is: are you trying to get an "inheritance only" model or do you need a combined "inheritance plus explicit" model??
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Windows All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register