Well checking boxes is great, if you only have one computer or two, and never have to re-do it. Once you have a few, well it's probably time to script it :)
Here are some basic ones I've used
To lock down a folder so that no one can delete what they created, a write only folder, (two liner):
icacls d:\writeonlyfolder /deny Everyone:(CI)(OI)(DE)
icacls d:\writeonlyfolder /deny Everyone:(CI)(OI)(DC)
So that people can't put any files in a folder (just subfolders)
icacls d:\parentfolder /deny "Domain Users":(WD)
This is a locked down structure, where only the creator of a folder on a share
has access to the contents, no one else can even get into the folder created, other then administrators.
rem we do want administrators and the creator of the folder though to have access
icacls d:\secured /grant:r "Domain Administrators":(OI)(CI)F
icacls d:\secured /grant:r "Creator Owner":(OI)(CI)F
allow users to create folders in the parent folder.
icacls d:\secured /grant:r users:WRXM
remove any inheritance which could cause issues.
icacls d:\secured /inheritance:r
icacls d:\secured /grant:r "Creator Owner":(OI)(CI)F
allow users to create folders in the parent folder.
icacls d:\secured /grant:r users:WRXM
remove any inheritance which could cause issues.
icacls d:\secured /inheritance:r
Background on how windows file permissions work:
No comments:
Post a Comment