Wednesday, July 31, 2013

setting windows permissions from the command line using icacls

Why set permissions from the command line when you can just right click and check or uncheck a few boxes?

Well checking boxes is great, if you only have one computer or two, and never have to re-do it.  Once you have a few, well it's probably time to script it :)

Here are some basic ones I've used

To lock down a folder so that no one can delete what they created, a write only folder, (two liner):
icacls d:\writeonlyfolder /deny Everyone:(CI)(OI)(DE)
icacls d:\writeonlyfolder /deny Everyone:(CI)(OI)(DC)

So that people can't put any files in a folder (just subfolders)
icacls d:\parentfolder /deny "Domain Users":(WD)

This is a locked down structure, where only the creator of a folder on a share
has access to the contents, no one else can even get into the folder created, other then administrators.

rem we do want administrators and the creator of the folder though to have access
icacls d:\secured /grant:r "Domain Administrators":(OI)(CI)F
icacls d:\secured /grant:r "Creator Owner":(OI)(CI)F
allow users to create folders in the parent folder.
icacls d:\secured /grant:r users:WRXM
remove any inheritance which could cause issues.
icacls d:\secured /inheritance:r 

Background on how windows file permissions work:

No comments:

Post a Comment