[roontoon]

Hi I manage a fairly large school and I want to use Icacls to set permissions on quite a number of our machines that are running XP service pack 3. I would like to set the administrative tools folder that is in the start menu so the students cannot open the folder but only admins can. I am having problems with the syntax. I have seen a number of examples that use a switch that resets the inheritance but it doesn't seem to work correctly. Below is what I am using. Any help will be welcome. Thanks.

Icacls "c:\Documents and Settings\All Users\Start Menu\Programs\Admistrative Tools" /inheritance:r /grant:r "Administrator":(OI)(CI)F 

I am getting a invalid parameter error for "/inheritance:f" I am based the above on this article. http://technet.micro...falltrades.aspx

This post has been edited by roontoon: 16 February 2013 - 04:36 PM

[CharlotteTheHarlot]

Unless something recently changed, I am sure Icacls does not run on Windows XP. Yep, just checked. Not sure how you got any error message other than "NOT A VALID WIN32 APPLICATION".

Someone currently in enterprise IT please correct me but isn't Admistrative Tools just a namespace item that exists only as a shell CLSID from the registry? Back in the early days of WinXP this was locked down through group policy.

By the way, when you get an error using command line permission utilities ( or any other ), the first thing is to make sure is that you run it in an elevated command prompt.

Also, when a specific registry key or file/folder object rejects these command line permission tools, it helps to simply go to that object and have a look at the ACL's ( permissions ) from the "Security" tab ( use right-click context menu > "Sharing and Security" or "Properties" ) which will send you into the official ( but kinda lame ) GUI view of the ACLs currently defined for that object. This is adequate to get an overview of the permission tree, and many times you can successfully edit them. But not always.

A different but better GUI utility for viewing ACL's is AccessEnum from System Internals ( Microsoft ). It is a viewer only but you can quickly right-click jump into the "Security" tab GUI from the program.

Using these can help you visualize and untangle permissions that may have been messed up by any number of problems caused by setup programs, ACL tools, programs like Flash that change them, or even your students who might be experimenting.

EDIT: typos

This post has been edited by CharlotteTheHarlot: 17 February 2013 - 03:14 AM

[5eraph]

You could try xcacls (more info). It's available from the Microsoft Download Center.

This post has been edited by 5eraph: 17 February 2013 - 07:08 AM

[allen2]

The right way to lock down properly (as locking shortcut won't avoid the launch of mmc then load any component), is to use the group policies as already said.
For the record, the 2003 icacls included with the SP2 might work on XP.

[Joseph_sw]

yeah, without group policies,
stuff like Zeus's NTFS Access can easly undo the ACL settings
http://www.zeus-soft...oads/ntfsaccess