4

One of our Windows servers that has some user folders on it has some pretty screwed up permissions. What I want it for SYSTEM and Domain Admins to have full control of all folders. I want the users to have read only on the top-level folder (which is their home folder) and modify on all subfolders and files. This can easily be accomplished through the GUI, but I can't figure out how to script it.

I'm calling icacls from my PowerShell script, because get-acl and set-acl are a major PITA. If I have to use them, I'm not opposed to it, but I imagine that calling icacls will be easier. This is the relevant code that I have to far:

icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)'
icacls.exe $folder /grant 'SYSTEM:(OI)(CI)(F)'
icacls.exe $folder /grant '$domain\domain admins:(OI)(CI)(F)'

As you can see, I'm giving modify to the user for everthing with icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)'. I can't figure out how to make that Modify apply only to subfolders and files while granting read-only to the top level folder.

The desired permission structure would look like this (just for clarity):

-Users  
--M  
---Marra (read only to me)  
----Documents (Modify)  
----Scripts(Modify)  
----Etc (Modify)

What is the right icacls syntax for this, or how can I do it natively in PS with set-acl?

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • 2
    If you can set the desired permissions in the GUI, then just do this manually for one folder, and afterward see how they look like with "icacls $folder". – Klaus Hartnegg May 05 '15 at 15:35
  • You should make it more clear that $folder refers to $server\Users\M\Marra – JJS Jul 22 '16 at 22:31

3 Answers3

5

Change the first line of your script to the following to have it apply only to subfolders and files.

icacls.exe $folder /grant "$domain\$user:(OI)(CI)(IO)(M)"

Then apply this to the top folder.

icacls.exe $folder /grant "$domain\$user:(R)"
Appleoddity
  • 3,290
  • 2
  • 10
  • 27
pk.
  • 6,413
  • 1
  • 41
  • 63
  • 1
    That's accurate to answer my question, but I need the users to be able to create files and sub-folders. To do that, I needed to use (R,WD,AD) for the top-level. – MDMarra May 09 '12 at 17:50
  • 1
    wouldn't the OP want /grant:r to replace any previouly granted explicit permissions? If it's screwed up, don't you want to replace what's there? – JJS Jul 22 '16 at 22:32
  • @JJS, `/grant:r` probably wouldn't do anything useful in this case, because it only removes permissions that match the specified inheritance flags. I find the `/reset` option simpler to use. – Harry Johnston Jun 08 '19 at 00:49
0

Grant inheritable modify permission, and set uninheritable denial to delete the folder itself:

icacls folder /deny  user:d
icacls folder /grant user:(oi)(ci)m

This gives them full rights inside the folder, but they cannot modify the folder itself.

Klaus Hartnegg
  • 331
  • 1
  • 7
0
icacls $folder /c /grant $domain\$user:(OI)(CI)(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC)

This grants MODIFY access to all files and subdirectories, but not delete access to $folder itself.

Marcus
  • 151
  • 1
  • 1
  • 6