Xcacls switchs / file permission inheritance

Discussion in 'Scripting' started by magnum42, Apr 30, 2010.

  1. magnum42

    magnum42 Guest

    Hi,

    I have a problem with xcacls.vbs
    We have 2 groups ready for each folder (one for Read, one for Modification
    permissions).

    For example :
    Fold1
    Fold2
    Fold2_Sub1
    Fold2_Sub2
    Fold_2_Sub2_Sub1
    Fold_2_Sub2_Sub2
    ....
    cscript xcacls.vbs "\\server\g$\Share\Fold1" /E /G "DOM\Fold1-R":X /F
    cscript xcacls.vbs "\\server\g$\Share\Fold1" /E /G "DOM\Fold1-M":M /F
    cscript xcacls.vbs "\\server\g$\Share\Fold2" /E /G "DOM\Fold2-R":X /F
    cscript xcacls.vbs "\\server\g$\Share\Fold2" /E /G "DOM\Fold2-M":M /F
    cscript xcacls.vbs "\\server\g$\Share\Fold2\Fold2_Sub1" /E /G
    "DOM\Fold2_Sub1-R":X /F
    cscript xcacls.vbs "\\server\g$\Share\Fold2\Fold2_Sub2" /E /G
    "DOM\Fold2_Sub2-M":M /F
    ....

    Why I do this, the read and change groups are ok on the first level, but the
    go down every level on the files.
    We also tried using the "/SPEC D" switch, but the permissions continue to
    inherit every level, most of the time only on the files.

    Each folder needs to have their two groups (read and change), but nothing
    should inherit down to subfolders, except for the security ACE's put on top,
    on the share itself.


    I'm tired (and french), so I hope I'm clear enough. Please help.

    Thanks a lot.
     
    magnum42, Apr 30, 2010
    #1

    1. Advertisements

  2. magnum42

    magnum42 Guest

    Hi,

    OK, I found the solution for my problem.
    I new xcacls.exe had been "replaced" by xcacls.vbs, but apparently,
    xcacls.vbs has now been "replaced" by icacls.exe ... at least for Windows
    Server 2008 (my server). Confusing ...

    So it works perfectly with icacls :
    Read :
    icacls \\server\g$\Services\DFSP /grant DL-S-Services.DFSP-L:(OI)(NP)RX
    Write :
    icacls \\server\g$\Services\DFSP /grant DL-S-Services.DFSP-M:(OI)(NP)M

    These are the correct options (for my needs listed in my frst post).

    BTW, watch out for the switchs. For example, the change/modify permission is :
    xcacls.exe : C (Change)
    xcacls.vbs : M (Modify)
    icacls.exe : M (Modify)
     
    magnum42, May 5, 2010
    #2

    1. Advertisements

  3. magnum42

    magnum42 Guest

    OK, juste a last little update to my post, with what I finally did, if
    someone's interested :

    On the nodes (so people cannot create files and folders) :
    icacls G:\Services\DFSP /grant DL-S-Services.DFSP-L:(OI)(NP)(IO)(RX)
    icacls G:\Services\DFSP /grant DL-S-Services.DFSP-M:(OI)(NP)(IO)(M)
    icacls G:\Services\DFSP /grant DL-S-Services.DFSP-L:(S,RD,X)
    icacls G:\Services\DFSP /grant DL-S-Services.DFSP-M:(S,RD,X)

    On the "leaves" (last folders) so people CAN create new folders/files :
    icacls G:\Services\DFSP\DAF\CDG /grant
    DL-S-Services.DFSP.DAF.CDG-L:(OI)(CI)(IO)(RX)
    icacls G:\Services\DFSP\DAF\CDG /grant
    DL-S-Services.DFSP.DAF.CDG-M:(OI)(CI)(IO)(M)
    icacls G:\Services\DFSP\DAF\CDG /grant DL-S-Services.DFSP.DAF.CDG-L:(S,RD,X)
    icacls G:\Services\DFSP\DAF\CDG /grant
    DL-S-Services.DFSP.DAF.CDG-M:(S,RD,WD,AD,X)
     
    magnum42, May 8, 2010
    #3

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. Permission, Permission, Permission!!!

  2. Permission Inheritance

  3. CACLS, XCACLS, and inheritance

  4. Xcacls.vbs Permission Problem

  5. moveuser NTFS Permission inheritance problem

  6. Permission Inheritance question

  7. Folder permission inheritance & Terminal server profiles

  8. iscsi switchs

Loading...