Add a security group to an ACL and propagate the ACE without affecting inheritance

I've recently needed to add a security group to an ACLs of a number shared folders. The problem was that adding a group to the top level folder and propagating permissions down the folder tree would wipe existing permissions. After some time playing with ICACLS I have managed to put toghether a command that just did the trick.

A bit of terminology first:

ACE - Access Control Entry - is a single entry in an ACL, such as "GroupA - Read"
ACL - Access Control List - is a collection of ACEs 

Effectively the below command adds an ACE to an ACL. 

I recommend reading the following article before proceeding:


How Security Descriptors and Access Control Lists Work

http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx

Thiws KB article provides documentation for ICACLS:
http://technet.microsoft.com/en-us/library/cc753525(v=ws.10).aspx


Now the magic command: 

icacls "f:\user" /grant builtin\Administrators:(OI)(CI)(F) /T /c

The above command will grant Administrators group Full Control permission on folder F:\USER  as well as on all sub-folders without affecting inheritance or propagating any other ACEs - this is the key. We have to make sure that a user executing the command has full control permission on all folders.

We can replace "builtin\Administrators" with a domain group for example:

icacls "f:\user" /grant securesenses\Access:(OI)(CI)(F) /T /c

Test thoroughly before proceeding!

No comments:

Post a Comment