I've recently needed to add a security group to an ACLs of a number shared folders. The problem was that adding a group to the top level folder and propagating permissions down the folder tree would wipe existing permissions. After some time playing with ICACLS I have managed to put toghether a command that just did the trick.
A bit of terminology first:
ACE - Access Control Entry - is a single entry in an ACL, such as "GroupA - Read"
ACL - Access Control List - is a collection of ACEs
Effectively the below command adds an ACE to an ACL.
I recommend reading the following article before proceeding:
How Security Descriptors and Access Control Lists Work
http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx
Thiws KB article provides documentation for ICACLS:
http://technet.microsoft.com/en-us/library/cc753525(v=ws.10).aspx
Test thoroughly before proceeding!
A bit of terminology first:
ACE - Access Control Entry - is a single entry in an ACL, such as "GroupA - Read"
ACL - Access Control List - is a collection of ACEs
Effectively the below command adds an ACE to an ACL.
I recommend reading the following article before proceeding:
How Security Descriptors and Access Control Lists Work
http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx
Thiws KB article provides documentation for ICACLS:
http://technet.microsoft.com/en-us/library/cc753525(v=ws.10).aspx
Now the magic command:
icacls
"f:\user" /grant builtin\Administrators:(OI)(CI)(F) /T /c
The above command will grant Administrators group Full Control permission on folder F:\USER as well as on all sub-folders without affecting inheritance or propagating any other ACEs - this is the key. We have to make sure that a user executing the command has full control permission on all folders.
We can replace "builtin\Administrators" with a domain group for example:
icacls "f:\user" /grant securesenses\Access:(OI)(CI)(F) /T /c
Test thoroughly before proceeding!
Comments
Post a Comment