Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Icacls help

- - - - -

  • Please log in to reply
4 replies to this topic

#1
roontoon

roontoon
  • Member
  • 7 posts
  • OS:none specified
  • Country: Country Flag
Hi I manage a fairly large school and I want to use Icacls to set permissions on quite a number of our machines that are running XP service pack 3. I would like to set the administrative tools folder that is in the start menu so the students cannot open the folder but only admins can. I am having problems with the syntax. I have seen a number of examples that use a switch that resets the inheritance but it doesn't seem to work correctly. Below is what I am using. Any help will be welcome. Thanks.


Icacls "c:\Documents and Settings\All Users\Start Menu\Programs\Admistrative Tools" /inheritance:r /grant:r "Administrator":(OI)(CI)F

I am getting a invalid parameter error for "/inheritance:f" I am based the above on this article. http://technet.micro...falltrades.aspx

Edited by roontoon, 16 February 2013 - 04:36 PM.



How to remove advertisement from MSFN

#2
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag
Unless something recently changed, I am sure Icacls does not run on Windows XP. Yep, just checked. Not sure how you got any error message other than "NOT A VALID WIN32 APPLICATION".

Someone currently in enterprise IT please correct me but isn't Admistrative Tools just a namespace item that exists only as a shell CLSID from the registry? Back in the early days of WinXP this was locked down through group policy.

By the way, when you get an error using command line permission utilities ( or any other ), the first thing is to make sure is that you run it in an elevated command prompt.

Also, when a specific registry key or file/folder object rejects these command line permission tools, it helps to simply go to that object and have a look at the ACL's ( permissions ) from the "Security" tab ( use right-click context menu > "Sharing and Security" or "Properties" ) which will send you into the official ( but kinda lame ) GUI view of the ACLs currently defined for that object. This is adequate to get an overview of the permission tree, and many times you can successfully edit them. But not always.

A different but better GUI utility for viewing ACL's is AccessEnum from System Internals ( Microsoft ). It is a viewer only but you can quickly right-click jump into the "Security" tab GUI from the program.

Using these can help you visualize and untangle permissions that may have been messed up by any number of problems caused by setup programs, ACL tools, programs like Flash that change them, or even your students who might be experimenting.

EDIT: typos

Edited by CharlotteTheHarlot, 17 February 2013 - 03:14 AM.

... Let him who hath understanding reckon the Number Of The Beast ...


#3
5eraph

5eraph

    Update Packrat

  • MSFN Sponsor
  • 1,137 posts
  • OS:XP Pro x64
  • Country: Country Flag

Donator

You could try xcacls (more info). It's available from the Microsoft Download Center.

Edited by 5eraph, 17 February 2013 - 07:08 AM.


#4
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
The right way to lock down properly (as locking shortcut won't avoid the launch of mmc then load any component), is to use the group policies as already said.
For the record, the 2003 icacls included with the SP2 might work on XP.

#5
Joseph_sw

Joseph_sw

    Member

  • Member
  • PipPip
  • 217 posts
  • OS:98SE
  • Country: Country Flag
yeah, without group policies,
stuff like Zeus's NTFS Access can easly undo the ACL settings
http://www.zeus-soft...oads/ntfsaccess




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN