Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


roontoon

Icacls help

5 posts in this topic

Hi I manage a fairly large school and I want to use Icacls to set permissions on quite a number of our machines that are running XP service pack 3. I would like to set the administrative tools folder that is in the start menu so the students cannot open the folder but only admins can. I am having problems with the syntax. I have seen a number of examples that use a switch that resets the inheritance but it doesn't seem to work correctly. Below is what I am using. Any help will be welcome. Thanks.

Icacls "c:\Documents and Settings\All Users\Start Menu\Programs\Admistrative Tools" /inheritance:r /grant:r "Administrator":(OI)(CI)F 

I am getting a invalid parameter error for "/inheritance:f" I am based the above on this article. http://technet.microsoft.com/en-us/magazine/2009.07.geekofalltrades.aspx

Edited by roontoon
0

Share this post


Link to post
Share on other sites

Unless something recently changed, I am sure Icacls does not run on Windows XP. Yep, just checked. Not sure how you got any error message other than "NOT A VALID WIN32 APPLICATION".

Someone currently in enterprise IT please correct me but isn't Admistrative Tools just a namespace item that exists only as a shell CLSID from the registry? Back in the early days of WinXP this was locked down through group policy.

By the way, when you get an error using command line permission utilities ( or any other ), the first thing is to make sure is that you run it in an elevated command prompt.

Also, when a specific registry key or file/folder object rejects these command line permission tools, it helps to simply go to that object and have a look at the ACL's ( permissions ) from the "Security" tab ( use right-click context menu > "Sharing and Security" or "Properties" ) which will send you into the official ( but kinda lame ) GUI view of the ACLs currently defined for that object. This is adequate to get an overview of the permission tree, and many times you can successfully edit them. But not always.

A different but better GUI utility for viewing ACL's is AccessEnum from System Internals ( Microsoft ). It is a viewer only but you can quickly right-click jump into the "Security" tab GUI from the program.

Using these can help you visualize and untangle permissions that may have been messed up by any number of problems caused by setup programs, ACL tools, programs like Flash that change them, or even your students who might be experimenting.

EDIT: typos

Edited by CharlotteTheHarlot
0

Share this post


Link to post
Share on other sites

The right way to lock down properly (as locking shortcut won't avoid the launch of mmc then load any component), is to use the group policies as already said.

For the record, the 2003 icacls included with the SP2 might work on XP.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.