NTFS permissions added from command line create protected root folder

0

I have 2 types of groups - read-only and read-write - with number per folder:

GROUP1_RO
GROUP1_RW
GROUP2_RO
GROUP2_RW
(...)

I'd like to create such directory tree:

SHARE
|-MAIN_FOLDER1
| |-SUBFOLDERS
| |-FILES
|
|-MAIN_FOLDER2
| |-SUBFOLDERS
| |-FILES
|
|-MAIN_FOLDER3
(...)

Every group has access to it's own MAIN_FOLDER* and group _RO can only read files but _RW can create folders, delete folders and files.

I want protect MAIN_FOLDERS* from being accidentally deleted by this _RW users.

Main goal is to create set of batch/cli commands that will prepare this folders one by one with accurate rights.

Tried to do this with icacls but i had problems with multiple rights ( invalid parameters ).

I did this manually by setting such rights:

    a) Enter Properties > Security > Advanced > Edit...
    b) Uncheck "Include inheritable permissions from this object's parent" and choose "Remove"
    c) Add group GROUP1_RO ( RO ) and set permissions:

            + Allow (( This Folder, subfolders and files ))

            * Traverse Folder / execute file
            * List folder / read data
            * Read attributes
            * Read extendet attributes
            * Read permissions

            - Deny

            * Delete

    e) Add group GROUP1_RW ( RW ) and set permissions:

            + Allow (( This Folder, subfolders and files ))

            * Full control
            - uncheck Take ownership

            - Deny

            * Delete

But setting this all manually for plenty subfolders is painful. Is there any way to setup this by icacls ( or something else ) with different groups?

Greetings & thanks, Mike

mike

Posted 2017-12-04T14:12:06.523

Reputation: 131

Using DENY is bad practice and un-necessary. Assign RO group to have read permission to "this folder, subfolder, and files." Assign RW group permission to "Modify" "subfolders and files" and to "Read" "This folder only." And yes, this can be done with icacls, probably cacls, and powershell amongst others. Without you providing some examples of what you've tried I can't determine you have done a sufficient amount of research to try to answer your own question. – Appleoddity – 2017-12-04T15:53:10.583

@Appleoddity could You provide exact icacls commands to achieve that goal? As You see below there is what I managed myself with icacls. I tried Your version with modify for subfolders and files + read this folder only, and that users can't create new folders in main folder. – mike – 2017-12-06T11:44:43.297

Maybe this will help? http://www.josephspurrier.com/add-or-remove-ntfs-permissions-via-command-line/

– Strepsils – 2017-12-07T09:33:44.993

Answers

0

Maybe I managed to do this in 2 ways:

I) With inheritance:

mkdir MAIN_FOLDER1
icacls MAIN_FOLDER1 /inheritance:d
icacls MAIN_FOLDER1 /remove Everyone
icacls MAIN_FOLDER1 /grant GROUP1_RO:(OI)(CI)(RX)
icacls MAIN_FOLDER1 /grant GROUP1_RW:(OI)(CI)(RX,W,WDAC,DC)
icacls MAIN_FOLDER1 /deny GROUP1_RW:(OI)(CI)(DE)

II) Without inheritance:

mkdir MAIN_FOLDER1
icacls MAIN_FOLDER1 /inheritance:r
icacls MAIN_FOLDER1 /grant "DOMAIN\Domain Admins":(OI)(CI)(F)
icacls MAIN_FOLDER1 /grant "BUILTIN\Administrators":(CI)(F)
icacls MAIN_FOLDER1 /grant GROUP1_RO:(OI)(CI)(RX)
icacls MAIN_FOLDER1 /grant GROUP1_RW:(OI)(CI)(RX,W,WDAC,DC)
icacls MAIN_FOLDER1 /deny GROUP1_RW:(OI)(CI)(DE)

And loops for that actions.

mike

Posted 2017-12-04T14:12:06.523

Reputation: 131

Asked: 2017-12-04T14:12:06.523

Viewed: 903 times

Active: 2017-12-04T15:09:42.047