locked
How do I use Icacls to control the use of inheritance RRS feed

  • Question

  • I have a lot of folders like this:

    <DIR>          pia.old
    <DIR>          pia.VS
    <DIR>          PLY
    <DIR>          PML
    <DIR>          psl.VS
    <DIR>          PTH.VS
    <DIR>          rla.VS
    <DIR>          saa.VS
    <DIR>          sbp.VS
    <DIR>          sej
    <DIR>          SER.VS

    These are actually windows profiles with security settings like this: (not inherited as you can see)

    domain1234\mrb:(F)
    NT AUTHORITY\SYSTEM:(F)
    BUILTIN\Administrators:(F)
    domain1234\mrb:(OI)(CI)(IO)(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
    BUILTIN\Administrators:(OI)(CI)(IO)(F)

    I would like to give the group VS\VSVSD-S-Reset Profiles modify rights to the root folder only of every profile

    Can I do this with the /grant and the /setintegritylevel somehow?


    Freddy


    Wednesday, August 8, 2012 4:08 PM

Answers

  • To remove inheritance

    icacls ROOT-FOLDER-NAME-PATH /inheritance:d

    To add the modify permission to the root folder only

    icacls ROOT-FOLDER-NAME-PATH /grant: "user-name":(m)

    • Proposed as answer by Rick Tan Thursday, August 9, 2012 7:00 AM
    • Marked as answer by Rick Tan Thursday, August 16, 2012 2:03 AM
    Wednesday, August 8, 2012 5:29 PM
  • If you use the switch /T in the cmd line I gave earlier it will go down the list of folders adding only this permission.

    Remember to remove the colon like Rick mentioned.

    • Marked as answer by Rick Tan Thursday, August 16, 2012 2:03 AM
    Thursday, August 9, 2012 3:56 PM

All replies

  • To remove inheritance

    icacls ROOT-FOLDER-NAME-PATH /inheritance:d

    To add the modify permission to the root folder only

    icacls ROOT-FOLDER-NAME-PATH /grant: "user-name":(m)

    • Proposed as answer by Rick Tan Thursday, August 9, 2012 7:00 AM
    • Marked as answer by Rick Tan Thursday, August 16, 2012 2:03 AM
    Wednesday, August 8, 2012 5:29 PM
  • Hi Freddy,

    Thank you for the post.

    Agree with hapkido's reply, just remove colon behind "grant" in the command.

    Moreover, you need to install KB943043 to support inheritance parameter if you use icacls on Windows 2003 server.
    http://support.microsoft.com/kb/943043

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    Thursday, August 9, 2012 7:03 AM
  • Hotfixes are never part of the automatic installation of Windows Updates correct?

    You see, I couldn't find it installed.

    I think I have been misunderstood

    Again, I want to give the same permission to a lot of folders, without inherit them to their subfolders. Like this:

    <ROOTDIR>        Profiles
          < SUBDIR>          pia.old
                 <SUBSUBDIR>      xxxx
          < SUBDIR>          pia.VS
                 <SUBSUBDIR>     xxxx

    How do I give permissions to the folders marked SUBDIR only? I am working on a 2003 server

    Thursday, August 9, 2012 8:20 AM
  • If you use the switch /T in the cmd line I gave earlier it will go down the list of folders adding only this permission.

    Remember to remove the colon like Rick mentioned.

    • Marked as answer by Rick Tan Thursday, August 16, 2012 2:03 AM
    Thursday, August 9, 2012 3:56 PM