I'm trying to do something using xcacls.vbs (running locally to a machine):
Assuming the share point is d:, I want our domain users to be able to traverse/read only from c: down through to the "d:\folder\admin" folder level, and then be able to create new files and folders, etc, to their heart's content inside admin folder. But not be able to delete or rename the admin folder.
For the life of me, I cannot do this with xcacls.vbs.
Since users will already inherit the read rights I'm assigning to them at the root of d:, I tried the following:
STEP 1) grant Modify rights to all folders, subfolders and files:
xcacls d:\folder\admin /e /g "AKRF\Domain Users":M /S /F /T /L
[This adds a second entry for domain users under advanced security rights for "This folder, subfolder, and files" granting all modify rights including delete-- I don't want delete since it allows them to delete the ADMIN folder itself (and also allows them to rename it!)]
STEP 2) revoke the ability to delete the Admin folder itself (just that folder--apparently you can do that with the /SPEC A option)
xcacls d:\folder\admin /e /d "AKRF\Domain Users":A /SPEC A /L
[This adds a third entry for domain users under advanced security rights for "This folder only" denying the right to delete at that folder level].
At this point all the rights look correct, and you can verify them in Windows XP by going into advanced security/effective permissions for a user...
But when you try to go into the ADMIN folder you get "access is denied" -- the only way to "fix" it is to manually go into the advanced security properties and check "replace permission entries on all child objects" -- the rights seem to stay identical, but now you can traverse to under d:\folder\admin
Does anyone know how to make this work
Thanks!!
xcacls.vbs context question
gpx
Per our support engineer:
I have tried the steps of our ISV. I got the same error. I found that when the option /Spec * was added, the issue is reported.
1. We can use the
xcacls d:\folder\admin /e /d "AKRF\Domain Users":A /L
without /SPEC A
2. To rename the folder name, the modified access right of his parent folder is required. We can do not grant the modified right of the parent folder to prevent the admin folder from being modified.
-brenda (ISV Buddy Team)
FrankUcla
Timothy,
I'm trying to uncheck the inherit checkbox on a remote server but have had no luck without the impersonated account being an administrator on the remote box, which is a security concern for our network admin. Here is the script I'm running:
xcacls.vbs \\server1\Data\Projects\2005\70051017\FinalReports /G "System":F "Domain\Level One Helpdesk":F "Domain\Domain Admins":F "Domain\foldermanager":F /I Remove /SERVER server1 /USER foldermanager /PASS password
Any ideas on how to get around the impersonated user needing to be an administrator on the remote server
Derrick
VbMan_OC
Step 1:) Turn off inheritance at "d:\folder"
xcacls "d:\folder" /I REMOVE /e
[This will turn off inheritance and remove existing permissions.]
- or -
xcacls "d:\folder" /I COPY /e
[This will also turn off inheritance, but keep existing permissions.]
Step 2:) Permit Read and Execute access to "d:\folder"
xcacls "d:\folder" /P "AKRF\Domain Users":X /SPEC A /E
[This enables users to read/transverse into admin, but not create/rename/delete new or existing folders. The "/P" changes existing permissions where "/G" add a new Access Control Entry (ACE) to the Access Control List (ACL) for the user/group.]
Step 3:) Permit Read Perm, Delet Sub folders/files, Traverse folder/execute files,Read extended attributes, Create folders/append data, List folder/read data for "This folder only" access to "d:\folder\admin"
xcacls "d:\folder\admin" /P "AKRF\Domain Users":B8764321 /SPEC A /E
[This enables users to create/delete new/existing files/folders in admin but not rename or delete admin.]
Step 4:) Grant Modify for "Subfolders and Files Only" access to "d:\folder\admin"
xcacls "d:\folder\admin" /G "AKRF\Domain Users":M /SPEC E /E
[This enables user to do all except take ownership/change permission to new/existing files/folders/subfolders inside admin.]
This should give you the setup that you are looking for.