Jump to content

Icacls help


Recommended Posts

Hi I manage a fairly large school and I want to use Icacls to set permissions on quite a number of our machines that are running XP service pack 3. I would like to set the administrative tools folder that is in the start menu so the students cannot open the folder but only admins can. I am having problems with the syntax. I have seen a number of examples that use a switch that resets the inheritance but it doesn't seem to work correctly. Below is what I am using. Any help will be welcome. Thanks.

Icacls "c:\Documents and Settings\All Users\Start Menu\Programs\Admistrative Tools" /inheritance:r /grant:r "Administrator":(OI)(CI)F 

I am getting a invalid parameter error for "/inheritance:f" I am based the above on this article. http://technet.microsoft.com/en-us/magazine/2009.07.geekofalltrades.aspx

Edited by roontoon
Link to comment
Share on other sites

Unless something recently changed, I am sure Icacls does not run on Windows XP. Yep, just checked. Not sure how you got any error message other than "NOT A VALID WIN32 APPLICATION".

Someone currently in enterprise IT please correct me but isn't Admistrative Tools just a namespace item that exists only as a shell CLSID from the registry? Back in the early days of WinXP this was locked down through group policy.

By the way, when you get an error using command line permission utilities ( or any other ), the first thing is to make sure is that you run it in an elevated command prompt.

Also, when a specific registry key or file/folder object rejects these command line permission tools, it helps to simply go to that object and have a look at the ACL's ( permissions ) from the "Security" tab ( use right-click context menu > "Sharing and Security" or "Properties" ) which will send you into the official ( but kinda lame ) GUI view of the ACLs currently defined for that object. This is adequate to get an overview of the permission tree, and many times you can successfully edit them. But not always.

A different but better GUI utility for viewing ACL's is AccessEnum from System Internals ( Microsoft ). It is a viewer only but you can quickly right-click jump into the "Security" tab GUI from the program.

Using these can help you visualize and untangle permissions that may have been messed up by any number of problems caused by setup programs, ACL tools, programs like Flash that change them, or even your students who might be experimenting.

EDIT: typos

Edited by CharlotteTheHarlot
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...