0
2
ICACLS "{PATH}" /DENY "{AD Group}:(D)"
I want to deny the ability for {AD Group} to delete the parent folder but still have permissions to delete child folder and files. However, when I set the DENY Delete on the parent, it prevents Traverse Folder access to the folder.
I read that this is a synchronize error but if I set (D,S) I can traverse the folder but I can also delete it.
Currently ACL_FILE_IST is the only permission on the folder.
Has anyone seen a workaround?
ICACL COMMANDS
- ICACLS "C:\TEMP\TestPermissions" /GRANT "ACL_FILE_IST:(OI)(CI)(M)"
- ICACLS "C:\TEMP\TestPermissions" /DENY "ACL_FILE_IST:(D)"
ICACLS ACL
testpermissions
D:PAI(D;;0x110000;;;S-1-5-21-964777865-1556211951-2005962405-8309)(A;OICI;0x1301bf;;;S-1-5-21-964777865-1556211951-2005962405-8309)
Ganske
Posted 2014-04-14T20:47:09.027
Reputation: 1
Unfortunately not. I'm still locked out of the folder. – Ganske – 2014-04-14T20:58:13.760
Well arn't you supposed to make sure at least someone in the DACL has access? – Ben Lavender – 2014-04-14T21:00:32.933
Im not trying to lock myself out. I want to lock the folder down for other users so Im trying to get it right using a dummy account but its not working. – Ganske – 2014-04-14T21:05:06.107
Can you paste the acl here please? – Ben Lavender – 2014-04-14T21:05:57.380
Ive added it to the original post. Any insight would be appreciated Ben. Thanks! – Ganske – 2014-04-14T22:02:54.053