| Home | Register | Members | Search | Windows Vista Tips | File Database | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
I just can't seem to get the right combination of options for icacls. No
matter what deny permission I add, then I cannot access the files at all, even to read or execute. For instance: icacls folder*.jpg /deny Dale  D) /Tshould, as far as I can tell, only add a deny delete permission for me. If I look at the advanced security properties on one of the files, that assumption appears to be confirmed and yet I cannot open the file at all. If I run icacles folder*.jpg /reset /T then the discretionary ACL is removed and inheritance rules allow me to access the files again. With the deny delete permission, I do get a UAC prompt before I can delete the file but I can't even open the file. Any suggestions? -- Dale Preston MCAD C# MCSE, MCDBA "Andrew McLaren" wrote: > "Dale" <> wrote ... > > Does anyone know of a utility that can be used to set the ACLs of a group > > of > > files? In particular, I am trying to keep Windows Media Player 11 from > > wiping out my custom album art and need to remove any modify or delete > > permissions for all users including system and myself. > > Hi Dale, > > icacls.exe is Windows' built-in command line tool, to edit ACLs. > > The syntax is a little bit, uh, convoluted; so be careful you have the right > parameters before you blat 2,000 files. But, it certainly does the job, and > handles wildcards. > > Run "icacls /?" for the syntax and examples. > > There may be 3rd party GUI tools to do the same job, if you don't like the > command line. > > Hope it helps, > -- > Andrew McLaren > amclar (at) optusnet dot com dot au > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
Well, being a MCSE does not mean I know everything
 or that colaberationwith others is not a useful and efficient means for solving a problem. It is in my signature here only so it is clear we can talk in technical terms and I will understand. The problem with granting read-only access is that I am part of other groups that have more access - such as Authenticated users and Users. Since granted permissions combine, that still does not protect my files. To remove the inherited permissions from Users and Authenticated users, I have to remove those parent permissions which would remove permissions from the media files and everything else. I'd like to avoid that level of detail in my permissions and to find the simplest way of getting the result. It sure seems to me that denying delete and write should do it but, in Vista, it just doesn't seem to work like it has in previous OSs. -- Dale Preston MCAD C# MCSE, MCDBA "Andrew McLaren" wrote: > "Dale" <> wrote ... > >I just can't seem to get the right combination of options for icacls. No > > matter what deny permission I add, then I cannot access the files at all, > > even to read or execute. For instance: > > Aww c'mon ... any MCSE should be able to work it out :-) > > I suggest you Grant yourself the (R) Read-only permission, rather than > trying to Deny specific rights. Working with specific rights is too > fine--grained for most purposes. A Read-Only permission mask will prevent > you from deleteing, but will still let you read the file. > > -- > Andrew McLaren > amclar (at) optusnet dot com dot au > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
> Well, being a MCSE does not mean I know everything
or that colaberation> with others is not a useful and efficient means for solving a problem. It > is I know (and agree) ... I was just joshing with ya :-)) There are many naive users here; with (ahem) naive questions. So it's a pleasure to get an interesting question, from a skilled user. > The problem with granting read-only access is that I am part of other > groups > that have more access - such as Authenticated users and Users. Since > granted > permissions combine, that still does not protect my files. It might take a bit of tweaking to find the right combination of permissions. The original question was "is there an ACL editor?" and I answered: Yes, icacls. But as to how you would actually *use* icacls - well, that is left as an exercise for the reader :-) Often it would be sufficient just to not grant the Delete right, without necessarily specifically Denying it. But note that, if users don't have the Delete permission on a file, they can still delete it,if they have the Delete Subfolders And Files permission on the parent directory. On the whole I suspect you're going to haveto kill inheritance from the parent directory. My personal preference is to avoid Denying rights unless absolutelnecessary - denied rights tend to cause many weird and unexpected permissions errors (in my experience). Better just to not grant the right. An alternative to icacls is SubinACL: http://www.microsoft.com/downloads/d...displaylang=en It's pretty similar, but - - can configure ACLs on many types of object, besides just file system; and - has some better handling for SDDL strings (see http://www.microsoft.com/technet/com...mt/sm1105.mspx) Good luck with it, -- Andrew McLaren amclar (at) optusnet dot com dot au |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Chkdsk utility and disk cleanup utility | Angel12 | Windows Vista Performance | 6 | 02-05-2008 02:40 PM |
| CapsLock utility? | Steve | Windows Vista General Discussion | 6 | 07-04-2007 08:34 PM |
| Setting restore point weekly using Task Scheduler is not setting RP. | Moray | Windows Vista Performance | 0 | 05-23-2007 04:21 PM |
| Setting restore point weekly using Task Scheduler is not setting RP. | Moray | Windows Vista General Discussion | 0 | 05-22-2007 05:03 PM |
| CRC utility | daddy3 | Windows Vista General Discussion | 7 | 07-10-2006 08:30 PM |
Linear Mode
