2

I am trying to set the ACL/inheritance for a folder (or file) as follows: icacls /inheritance:r /grant:r "builtin\administrators":(I)(F)

However, this produces an error (icacls doesn't recognize the "(I)" as being valid?).

According to icacls /?, (I) is one of the inheritance rights (along with (OI), (CI), (IO), and (NP)).

When I reset the perms on the object, the icacls command shows: builtin\administrators:(I)(OI)(CI)(F)

So the '(I)' setting IS 'in there'. I suspect I need to go through some hoops to get this where it needs to be (i.e., builtin\administrators:(I)(F)), but after spending the better part of the day searching for examples and trying various routes, I'm still where I started.

Anyone know the trick to this?

Tomi Olivia
  • 21
  • 1
  • 1
    (I) tells you whether or not a setting is inherited from the parent. You're assigning the setting directly to the object, so it *isn't* inherited from the parent, and it wouldn't make sense to assert that it is. Therefore, when using icacls, (I) is a read-only property. – Harry Johnston Dec 17 '14 at 00:38
  • Ah, I see. Since the requirements that I was working from (IA-related) said, to "...ensure the permissions on [the files/directories] are maintained as follows: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)", I took that litterally. My mistake. So, if I'm understanding you correctly, setting them to (OI)(F) would be sufficient. Thank you very much! – Tomi Olivia Dec 17 '14 at 14:27
  • Oops. I meant "(IO)(F)". Need more coffee.. – Tomi Olivia Dec 17 '14 at 14:29
  • 1
    "(IO)(F)" is allowed, but does nothing. Without either (CI) or (OI), the permission will not be inherited by child objects, and (IO) prevents the permission from applying to the parent object. So while I'm not sure what permissions you need (since you haven't specified the end goal) that certainly isn't right. Typically one would assign (OI)(CI)(F) on the top-level directory, which would result in (I)(OI)(CI)(F) on child directories and just (I)(F) on files. – Harry Johnston Dec 18 '14 at 00:29
  • Thank you for being so thorough in your explaination. I'm beginning to think the requirements (stated above) should be reworded. My end goal is to create a batch script to set the setttings as specified in the requirements on a directory and on one individual file within said directory. – Tomi Olivia Dec 18 '14 at 22:16
  • I have gotten to the point of querying the registry for the name/location of the directory and the name/location of the file and have these stored in local environment variables. However, now am beginning to think that the second part (i.e., setting the perms/inheritance to the stated requirements) may be a lot tougher than originally expected. I will have to remove all the other perms/inheritance settings and set only those in the specification, and I am still unsure of how that will turn out (i.e., the '(I)(F)' setting will undoubtedly not be shown as per the requirements). – Tomi Olivia Dec 18 '14 at 22:16
  • I believe I will need more clarification (i.e., on the requirements end) prior to continuing with the creation of the script(s). Thank you! – Tomi Olivia Dec 18 '14 at 22:21

0 Answers0