2

I'm operating on Windows 2012 R2, trying to use a batch file to manage my NTFS perms using icacls. The batch file is almost complete, then I'll be handing it off to someone with far less experience to manage, so I'm trying to make it as easy for him as possible.

I want to automatically REPLACE all perms on the drive root (E:), in case they have been modified. The entire drive will be restored to a known configuration. Then I will set a few perms at the root (administrator, backup, etc.) that will propagate thru inheritance to all subdirectories. (probably these 2 operations are the same icacls call) There are many subdirectories, and different permissions will be applied to each of them. I have the subdirectory part of the batch file complete and successful.

I have been unable to use icacls to REPLACE all permissions on the drive root. I have tried:

ICACLS.EXE "E:" /inheritance:r /grant:r "Administrators":(OI)(CI)F /T /Q

and

ICACLS.EXE "E:" /grant:r "Administrators":(OI)(CI)F /T /Q

both with no success. For testing, I added another group with access to the E:. After the batch file executed successfully to completion, that other group still had access; it was not removed from the ACL of the E:.

Any ideas?

jrbedard
  • 3,662
  • 5
  • 30
  • 34
Derek
  • 29
  • 1
  • 3
  • 1
    Who is the owner of the root directory? "dir /q" won't show the root owner directly, but "dir "C:\Program Files" /q /ad" will show it for ".." -- the root folder. For me it is "Trusted installer", and I found other folders with that owner where even as admin I cannot use icacls. I can use takeown however to change the owner to buildin\admisitrators – joeking Jan 18 '17 at 00:45
  • I have taken (or assigned?) ownership to the administrators group on our domain, basically as you indicate. Curiously, when I do that, if you view the properties>>Security>>Advanced it shows that "SYSTEM" is the owner. I *assume* this is equivalent. Either way, I can take ownership to any convenient account. My problem is that I don't know what ICACLS calls to make to achieve my goal. – Derek Jan 19 '17 at 15:56
  • What problem remains? Typically the root of the drive will be owned by TrustedInstaller. This is a virtual user created in Vista for UAC - specifically to prevent even the administrator from modifying system files. From the CMD line, "takeown /f C:\ /A" should change the owner to Builtin\Administrators. Once owned by admin you can use ICACLS to change the permissions. After TAKEOWN succeeds, does ICACLS still fail? – joeking Jan 19 '17 at 18:16
  • I can take ownership at the root, that is not the problem. I want to remove all existing ACEs and establish my own ACEs on the root of the drive. The "/grant:r" syntax will only replace any existing perms for THAT USER. All other perms (for other users) remain. I do not see a way to return the drive root to a known condition using ICACLS. – Derek Jan 20 '17 at 20:12

1 Answers1

2

Hah, interesting... Looks like ICACLS makes it hard to simply replace all the permissions.

So, first step is to use TAKEOWN to change the owner from TrustedInstaller (and voiding your UAC warranty).

Then CACLS C:\ /g builtin\administrators:f

You can also do this with ICACLS /restore, but that requires that you prepare an ACL file. The ACL file has the names of the files in it, making it more annoying to create.

Simple BAT file to do this.

NOTE: ICACLS is really fussy:

  • The ACLFile seems to neeed to be UTF-16
  • The ACLFile has named files in it, and the names are relative to the path given on the icacls command line.
  • The foldername on the icacls command line cannot have a trailing "\" either.
@echo off
setlocal

:: Change the ACL to "BUILTIN\Administrators:(OI)(CI)(F)"    
if exist aclfile.txt del aclfile.txt

if "%1"=="" echo Requires a filename && exit /b 1

:: The ACL file is required to be UTF-16 encoded.
:: Use "icacls FILE /save ACLFILE.txt on a sample
:: file to get the exact SDDL you want to use
cmd /u /c echo %~n1 > aclfile.txt
cmd /u /c echo D:P(A;OICI;FA;;;BA)>>aclfile.txt

:: Ick, trim the trailing \
:: ICACLS is really dumb.
set pathname=%~dp1
set pathname=%pathname:~,-1%
icacls "%pathname%" /restore aclfile.txt
joeking
  • 2,006
  • 18
  • 29
  • The issue I have is that the "/C" flag is different for CACLS vs ICACLS. On CACLS, it will ignore only NTFS access denied errors. (ICACLS ignores all errors) All other errors (including file path length too long, which I am having in many places) kill the CACLS command on the spot.So now CACLS has left my drive in an unknown state, only some of the perms have been set. I can't help but feel that I must be missing something, it shouldn't be that hard to use ICACLS to set perms on the root of a drive. – Derek Jan 20 '17 at 21:23
  • 1
    Its impossible for me to know the state of your drive, but if you are trying to replace all permissions on the drive, then you need to takeown everything first, takeown /f C:\ /a /r /skipsl /d y, then replace the root permissions, and finally "icacls /reset /t" for each thing under root . I don't think you are missing anything, ACLs in Windows are a real pain. See the corrections to the bat file above. – joeking Jan 20 '17 at 21:36
  • 1
    I suppose you could be more selective about it ... don't take ownership of everything, but instead use ICACLS/reset/t first, recording the errors. Then takeown only on the items which failed. This only matters if you care to preserve the original ownership of the files. – joeking Jan 20 '17 at 21:42