Setting Deny Permissions with ICACLS on “This Folder”
up vote
0
down vote
favorite
ICACLS "{PATH}" /DENY "{AD Group}:(D)"
I want to deny the ability for {AD Group} to delete the parent folder but still have permissions to delete child folder and files. However, when I set the DENY Delete on the parent, it prevents Traverse Folder access to the folder.
I read that this is a synchronize error but if I set (D,S) I can traverse the folder but I can also delete it.
Currently ACL_FILE_IST is the only permission on the folder.
Has anyone seen a workaround?
ICACL COMMANDS
- ICACLS "C:TEMPTestPermissions" /GRANT "ACL_FILE_IST:(OI)(CI)(M)"
- ICACLS "C:TEMPTestPermissions" /DENY "ACL_FILE_IST:(D)"
ICACLS ACL
testpermissions
D:PAI(D;;0x110000;;;S-1-5-21-964777865-1556211951-2005962405-8309)(A;OICI;0x1301bf;;;S-1-5-21-964777865-1556211951-2005962405-8309)
windows permissions ntfs icacls
add a comment |
up vote
0
down vote
favorite
ICACLS "{PATH}" /DENY "{AD Group}:(D)"
I want to deny the ability for {AD Group} to delete the parent folder but still have permissions to delete child folder and files. However, when I set the DENY Delete on the parent, it prevents Traverse Folder access to the folder.
I read that this is a synchronize error but if I set (D,S) I can traverse the folder but I can also delete it.
Currently ACL_FILE_IST is the only permission on the folder.
Has anyone seen a workaround?
ICACL COMMANDS
- ICACLS "C:TEMPTestPermissions" /GRANT "ACL_FILE_IST:(OI)(CI)(M)"
- ICACLS "C:TEMPTestPermissions" /DENY "ACL_FILE_IST:(D)"
ICACLS ACL
testpermissions
D:PAI(D;;0x110000;;;S-1-5-21-964777865-1556211951-2005962405-8309)(A;OICI;0x1301bf;;;S-1-5-21-964777865-1556211951-2005962405-8309)
windows permissions ntfs icacls
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
ICACLS "{PATH}" /DENY "{AD Group}:(D)"
I want to deny the ability for {AD Group} to delete the parent folder but still have permissions to delete child folder and files. However, when I set the DENY Delete on the parent, it prevents Traverse Folder access to the folder.
I read that this is a synchronize error but if I set (D,S) I can traverse the folder but I can also delete it.
Currently ACL_FILE_IST is the only permission on the folder.
Has anyone seen a workaround?
ICACL COMMANDS
- ICACLS "C:TEMPTestPermissions" /GRANT "ACL_FILE_IST:(OI)(CI)(M)"
- ICACLS "C:TEMPTestPermissions" /DENY "ACL_FILE_IST:(D)"
ICACLS ACL
testpermissions
D:PAI(D;;0x110000;;;S-1-5-21-964777865-1556211951-2005962405-8309)(A;OICI;0x1301bf;;;S-1-5-21-964777865-1556211951-2005962405-8309)
windows permissions ntfs icacls
ICACLS "{PATH}" /DENY "{AD Group}:(D)"
I want to deny the ability for {AD Group} to delete the parent folder but still have permissions to delete child folder and files. However, when I set the DENY Delete on the parent, it prevents Traverse Folder access to the folder.
I read that this is a synchronize error but if I set (D,S) I can traverse the folder but I can also delete it.
Currently ACL_FILE_IST is the only permission on the folder.
Has anyone seen a workaround?
ICACL COMMANDS
- ICACLS "C:TEMPTestPermissions" /GRANT "ACL_FILE_IST:(OI)(CI)(M)"
- ICACLS "C:TEMPTestPermissions" /DENY "ACL_FILE_IST:(D)"
ICACLS ACL
testpermissions
D:PAI(D;;0x110000;;;S-1-5-21-964777865-1556211951-2005962405-8309)(A;OICI;0x1301bf;;;S-1-5-21-964777865-1556211951-2005962405-8309)
windows permissions ntfs icacls
windows permissions ntfs icacls
edited Apr 14 '14 at 22:02
asked Apr 14 '14 at 20:47
Ganske
113
113
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
0
down vote
Try and test > icacls "path" /deny ADgroup:(CI)D
Unfortunately not. I'm still locked out of the folder.
– Ganske
Apr 14 '14 at 20:58
Well arn't you supposed to make sure at least someone in the DACL has access?
– Ben Lavender
Apr 14 '14 at 21:00
Im not trying to lock myself out. I want to lock the folder down for other users so Im trying to get it right using a dummy account but its not working.
– Ganske
Apr 14 '14 at 21:05
Can you paste the acl here please?
– Ben Lavender
Apr 14 '14 at 21:05
Ive added it to the original post. Any insight would be appreciated Ben. Thanks!
– Ganske
Apr 14 '14 at 22:02
add a comment |
up vote
0
down vote
I used the 3rd party tool SETACL to fix the issue. It appears to be working.
SETACL -ON "{PATH}" -OT FILE -ACTN ACE -ACE "N:{AD_GROUP};P:DELETE;I:NP;M:DENY"
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Try and test > icacls "path" /deny ADgroup:(CI)D
Unfortunately not. I'm still locked out of the folder.
– Ganske
Apr 14 '14 at 20:58
Well arn't you supposed to make sure at least someone in the DACL has access?
– Ben Lavender
Apr 14 '14 at 21:00
Im not trying to lock myself out. I want to lock the folder down for other users so Im trying to get it right using a dummy account but its not working.
– Ganske
Apr 14 '14 at 21:05
Can you paste the acl here please?
– Ben Lavender
Apr 14 '14 at 21:05
Ive added it to the original post. Any insight would be appreciated Ben. Thanks!
– Ganske
Apr 14 '14 at 22:02
add a comment |
up vote
0
down vote
Try and test > icacls "path" /deny ADgroup:(CI)D
Unfortunately not. I'm still locked out of the folder.
– Ganske
Apr 14 '14 at 20:58
Well arn't you supposed to make sure at least someone in the DACL has access?
– Ben Lavender
Apr 14 '14 at 21:00
Im not trying to lock myself out. I want to lock the folder down for other users so Im trying to get it right using a dummy account but its not working.
– Ganske
Apr 14 '14 at 21:05
Can you paste the acl here please?
– Ben Lavender
Apr 14 '14 at 21:05
Ive added it to the original post. Any insight would be appreciated Ben. Thanks!
– Ganske
Apr 14 '14 at 22:02
add a comment |
up vote
0
down vote
up vote
0
down vote
Try and test > icacls "path" /deny ADgroup:(CI)D
Try and test > icacls "path" /deny ADgroup:(CI)D
answered Apr 14 '14 at 20:52
Ben Lavender
55326
55326
Unfortunately not. I'm still locked out of the folder.
– Ganske
Apr 14 '14 at 20:58
Well arn't you supposed to make sure at least someone in the DACL has access?
– Ben Lavender
Apr 14 '14 at 21:00
Im not trying to lock myself out. I want to lock the folder down for other users so Im trying to get it right using a dummy account but its not working.
– Ganske
Apr 14 '14 at 21:05
Can you paste the acl here please?
– Ben Lavender
Apr 14 '14 at 21:05
Ive added it to the original post. Any insight would be appreciated Ben. Thanks!
– Ganske
Apr 14 '14 at 22:02
add a comment |
Unfortunately not. I'm still locked out of the folder.
– Ganske
Apr 14 '14 at 20:58
Well arn't you supposed to make sure at least someone in the DACL has access?
– Ben Lavender
Apr 14 '14 at 21:00
Im not trying to lock myself out. I want to lock the folder down for other users so Im trying to get it right using a dummy account but its not working.
– Ganske
Apr 14 '14 at 21:05
Can you paste the acl here please?
– Ben Lavender
Apr 14 '14 at 21:05
Ive added it to the original post. Any insight would be appreciated Ben. Thanks!
– Ganske
Apr 14 '14 at 22:02
Unfortunately not. I'm still locked out of the folder.
– Ganske
Apr 14 '14 at 20:58
Unfortunately not. I'm still locked out of the folder.
– Ganske
Apr 14 '14 at 20:58
Well arn't you supposed to make sure at least someone in the DACL has access?
– Ben Lavender
Apr 14 '14 at 21:00
Well arn't you supposed to make sure at least someone in the DACL has access?
– Ben Lavender
Apr 14 '14 at 21:00
Im not trying to lock myself out. I want to lock the folder down for other users so Im trying to get it right using a dummy account but its not working.
– Ganske
Apr 14 '14 at 21:05
Im not trying to lock myself out. I want to lock the folder down for other users so Im trying to get it right using a dummy account but its not working.
– Ganske
Apr 14 '14 at 21:05
Can you paste the acl here please?
– Ben Lavender
Apr 14 '14 at 21:05
Can you paste the acl here please?
– Ben Lavender
Apr 14 '14 at 21:05
Ive added it to the original post. Any insight would be appreciated Ben. Thanks!
– Ganske
Apr 14 '14 at 22:02
Ive added it to the original post. Any insight would be appreciated Ben. Thanks!
– Ganske
Apr 14 '14 at 22:02
add a comment |
up vote
0
down vote
I used the 3rd party tool SETACL to fix the issue. It appears to be working.
SETACL -ON "{PATH}" -OT FILE -ACTN ACE -ACE "N:{AD_GROUP};P:DELETE;I:NP;M:DENY"
add a comment |
up vote
0
down vote
I used the 3rd party tool SETACL to fix the issue. It appears to be working.
SETACL -ON "{PATH}" -OT FILE -ACTN ACE -ACE "N:{AD_GROUP};P:DELETE;I:NP;M:DENY"
add a comment |
up vote
0
down vote
up vote
0
down vote
I used the 3rd party tool SETACL to fix the issue. It appears to be working.
SETACL -ON "{PATH}" -OT FILE -ACTN ACE -ACE "N:{AD_GROUP};P:DELETE;I:NP;M:DENY"
I used the 3rd party tool SETACL to fix the issue. It appears to be working.
SETACL -ON "{PATH}" -OT FILE -ACTN ACE -ACE "N:{AD_GROUP};P:DELETE;I:NP;M:DENY"
answered Apr 15 '14 at 21:28
Ganske
113
113
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f741721%2fsetting-deny-permissions-with-icacls-on-this-folder%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown