NTFS File permissions using icacls

[zemtex]

Sometimes when programming you want to deploy special permissions for files or folders. In my case I am trying to allow everything except file deletion. When I use the security tab in windows explorer, everything works fine, but when I use icacls.exe I cannot cd to the folder, it gives me access denied. I have searched using google for some days now without luck.

Here is what I do:

First I create a folder:

md Folder

then I remove existing ACL entries:

icacls Folder /inheritance:r

Then I give Full access and at the same time deny child deletion and deletion in the same command:

icacls Folder /grant Administrators:(OI)(CI)(F) /deny Administrators:(OI)(CI)(D,DC)

The permissions for the folder should now be like this (if you do icacls Folder, you will see)

Folder Administrators:(OI)(CI)(DENY)(D,DC)
         Administrators:(OI)(CI)(RX,W,WDAC,WO)

My problem is that when i try to move into the folder ('Cd folder') then it gives me an acces denied.

The strange thing is that if I give the folder the exact same permissions using the gui security tab interface, then permission is granted, even though both have the exact same permissions.
I've double checked, both methods give the exact same permissions.

Icacls.exe does not work
   but
GUI security tab window works

Is there an NTFS guru in here to give me a few hints?  :bg


I could always use cacls.exe or download xcacls, but the reason I don't want to use any of these is because icacls ships with the os and should be good enough, besides cacls.exe is deprecated. There should be no reason to resort to other tools to make basic file permissions work in the commandline.  :naughty:

=================================================================
BTW. If a moderator want to move this thread to the Workshop forum, I realize it fits better over there.
=================================================================

[dedndave]

i am no guru - lol
but, the issue may be one of "ownership", rather than "permission"
after you have created the folder, right-click on it and select the Sharing tab
then, enable sharing for the folder and assign it a sharing name
this is similar to the System Volume Information folder

[zemtex]

I am already the owner of it. In the sharing window, it shows myself in the list.

[zemtex]

I'd appreciate a few more tips, this is bugging me alot lately.  :boohoo:

[ToutEnMasm]

The read of this page http://en.wikipedia.org/wiki/Cacls give other methods to do that

[zemtex]

The read of this page http://en.wikipedia.org/wiki/Cacls give other methods to do that

Yes, cacls and xcacls (also 3rd party tools like SetACL) works well. But icacls ships with the os and I would prefer that basic NTFS tools for the operating system is working properly. Changing NTFS permissions is the most basic thing you can do in an operating system. icacls not working properly is a catastrophe. If I can't get it to work in the near future I will try SetACL

[ToutEnMasm]

Changing NTFS permissions is the most basic thing you can do in an operating system

Not really true.If it is easy with novell for example , it can be more difficult with other systems not made for that.

[zemtex]

Changing NTFS permissions is the most basic thing you can do in an operating system

Not really true.If it is easy with novell for example , it can be more difficult with other systems not made for that.

I am not saying it should or should not be easy, all I'm saying is that changing file permissions is a basic function of any operating system, the very first thing you do with incoming files is to set fitting and adequate permissions to them.

[ToutEnMasm]

What i thing is that with windows you have to made a soap with further tools and search a little with different tricks.
This increase the number of tests needed to reach the goal.

[ToutEnMasm]

This link agree with my upper thread
http://technet.microsoft.com/en-us/library/cc771234(WS.10).aspx
It's another method

[baltoro]

ZEMTEX,   
I see an excellent opportunity to write your very own awesome assembly program that reads object security descriptors, and, its DACLs.
Authorization Functions, MSDN
AccessCheck
SECURITY_DESCRIPTOR

[zemtex]

ZEMTEX,   
I see an excellent opportunity to write your very own awesome assembly program that reads object security descriptors, and, its DACLs.

The thought crossed my mind. But don't underestimate the work involved. There is lots of work involved with it. LOTS.
You could probably make a half-working solution for the most used actions, but making a complete program is too much work.

[baltoro]

You're right,...it is alot of work. The only real advantage is that you know exactly what the executed code is doing.
There are some excellent examples that come with the SDK.
The downside is that if you posted the code and compiled program here at the Forum,...everyone would steal your work.

[vanjast]

I've noticed that reinstalling (XP+3 in my case) moving an old usb drive to the new installation gives me security hiccups between my laptop and PC.

As Dave says.. the Ownership thing gets around this, but it's a temporary solution.
Security keys seemed to be GUUI based, so I got around the inter-pc thing by giving limited access to EVERYONE plus sharing folders also helps.

I should have kept track of what I did but i was in a hurry  :P

[zemtex]

To avvoid creating another "windows" thread, I will post another question in this thread.

Do you happen to know when Microsoft implemented ability to issue several commands in the command prompt using ampersand or double-ampersand (for error checking), do you know what year or what ms-operating system that had the ability first?  :snooty:

I think they had it in all NT systems, but im not sure with ms-dos