Vista ACLs problem

I'm getting desperate for help here. Yes, I am an MCSE but this is Vista and
Vista security does not act like any security before it.

Here's the problem: I have scanned the CD covers for my entire CD
collection and saved them as 480x480 pixel images named Folder.jpg in the
corresponding album folder. Windows Media Player 11 insists on resizing
those images to 200x200 pixels. There is nothing in Windows Media Player
that will stop this - in fact, one of the design goals of WMP 11, as stated
by a former senior member of the WMP product team, was to close loopholes
that allowed WMP 10 to not reduce album art to 200x200 pixels. Following
suggestions by that same senior member that setting the Read-Only attribute
will stop the change failed to prevent WMP from trashing the file. My goal
is to stop this behavior by setting the NTFS permissions.

The end result should be that I can read the file but not write or delete
any file matching Folder*.jpg - technically Folder.jpg but the * is required
to make icacls.exe work on subfolders. No program running in my security
context or the SYSTEM security context should be able to write or delete the
file. Windows Media Player and I should be able to change the MP3 files or
other image files in the media library. The only thing blocked should be the
Folder.jpg files.

I use ICACLS.EXE to deny delete or write permissions:

icacls Folder*.jpg /deny DaleD) /T
icacls Folder*.jpg /deny Dale:W /T

As soon as I do one of the above (either one - I don't have to do both) I
cannot delete or write the file but I also cannot read the files. I check
the effective permissions in the security properties and every box is checked
for me except Full Control and Delete in the case of the first example above
and Full Control and all of the write associated permissions in the case of
the second example above. All indications are that I should be able to
access the files for reading.

If I reset the ACLs using:

icacl Folder*.jpg /reset /T

and then use the Security property tab in Windows Explorer to set the
permissions including deny write and deny delete, all works perfectly as
expected. The only problem with this solution is that I would have to
manually, one file at a time, set the permissions for thousands of files.

Does anyone have any help on how to do this with icacls or some other tool
by which I can set permissions en masse?

Thanks,

Dale

--
Dale Preston
MCAD C#
MCSE, MCDBA

Problem solved.

I gave up on ICACLS.EXE and went back to CACLS.EXE. I created an account to
give full control to so that I don't lose access to the files completely and
then I use CACLS to replace the current ACL and give my account and the
newly-created account access as follows::

CACLS Folder*.jpg /T /P Dale:R
CACLS Folder*.jpg /T /E /G AlbumArtAccount:F

Now I, and Windows Media Player when I am logged in, cannot delete or change
the album art but AlbumArtAccount, which never logs in normally, could log in
and delete or change the album art if necessary.

So I rip my files using iTunes to a different folder on the same drive, scan
and add my album art, set the permissions as described above, and then move
the files to the folders monitored by WMP. As long as I always remember to
follow all the steps, I'm fine.

I still keep my album art backed up separately just in case. Afterall, this
is WMP and as soon as the WMP product team finds a way to close this
loophole, they will.

Dale
--
Dale Preston
MCAD C#
MCSE, MCDBA


"Dale" wrote:

> I'm getting desperate for help here. Yes, I am an MCSE but this is Vista and
> Vista security does not act like any security before it.
>
> Here's the problem: I have scanned the CD covers for my entire CD
> collection and saved them as 480x480 pixel images named Folder.jpg in the
> corresponding album folder. Windows Media Player 11 insists on resizing
> those images to 200x200 pixels. There is nothing in Windows Media Player
> that will stop this - in fact, one of the design goals of WMP 11, as stated
> by a former senior member of the WMP product team, was to close loopholes
> that allowed WMP 10 to not reduce album art to 200x200 pixels. Following
> suggestions by that same senior member that setting the Read-Only attribute
> will stop the change failed to prevent WMP from trashing the file. My goal
> is to stop this behavior by setting the NTFS permissions.
>
> The end result should be that I can read the file but not write or delete
> any file matching Folder*.jpg - technically Folder.jpg but the * is required
> to make icacls.exe work on subfolders. No program running in my security
> context or the SYSTEM security context should be able to write or delete the
> file. Windows Media Player and I should be able to change the MP3 files or
> other image files in the media library. The only thing blocked should be the
> Folder.jpg files.
>
> I use ICACLS.EXE to deny delete or write permissions:
>
> icacls Folder*.jpg /deny DaleD) /T
> icacls Folder*.jpg /deny Dale:W /T
>
> As soon as I do one of the above (either one - I don't have to do both) I
> cannot delete or write the file but I also cannot read the files. I check
> the effective permissions in the security properties and every box is checked
> for me except Full Control and Delete in the case of the first example above
> and Full Control and all of the write associated permissions in the case of
> the second example above. All indications are that I should be able to
> access the files for reading.
>
> If I reset the ACLs using:
>
> icacl Folder*.jpg /reset /T
>
> and then use the Security property tab in Windows Explorer to set the
> permissions including deny write and deny delete, all works perfectly as
> expected. The only problem with this solution is that I would have to
> manually, one file at a time, set the permissions for thousands of files.
>
> Does anyone have any help on how to do this with icacls or some other tool
> by which I can set permissions en masse?
>
> Thanks,
>
> Dale
>
> --
> Dale Preston
> MCAD C#
> MCSE, MCDBA