kretmatt Posted April 23, 2007 Share Posted April 23, 2007 Hi!I just want to do a really easy thing. I want to change the permissions of a folder for a user to the following:allow readingdeny writingI can do this very simple from the properties dialog of the folder, but I want to do it from the commandline.I tryed to use SubInACL.exe like this.subinacl.exe /file M:\ZBSCAN /grant=dpag_admin=reverything seems fine.but than i callsubinacl.exe /file M:\ZBSCAN /deny=dpag_admin=wto ADD the write deny, but it is not added, it replaces my first grant call.About that after the two calls the permissions only setted to deny writing.I allready tryed to turn the order, but then I only get the allow reading setted.I also tryed to use only one command likesubinacl.exe /file M:\ZBSCAN /grant=dpag_admin=r /deny=dpag_admin=wbut nothing works.Can please somebody help my!Thank you very much in advanced!Matze Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted April 23, 2007 Share Posted April 23, 2007 SubInACL is a little tricky. Grab the EXE version of XCACLS and give that a try. Once you 'install' it on one system then XCACLS.EXE can be copied to any other system. Link to comment Share on other sites More sharing options...
kretmatt Posted April 23, 2007 Author Share Posted April 23, 2007 Thanks nmX.Memnochbut I allready tryed XCACLS.EXE.I was unable to set deny settings with this tool.Can you give me a hint how to do this?Thanks Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted April 23, 2007 Share Posted April 23, 2007 Wait...all you want to do is grant that group read access, but not write access? That's easy. If you're only granting read permissions then you don't need to deny write permissions. Read permissions is just that...it only gives them access to look at what's in the directory, not to make any changes.Run the following two commands. The first one will completely revoke any permissions the group already has on directory and all subdirectories/files. The second command will add them back with only read permissions.XCACLS M:\ZBSCAN /T /E /R dpag_adminXCACLS M:\ZBSCAN /T /E /G dpag_admin:RRemember, if it's a domain group then you should specify the group as DOMAIN\dpag_admin. Link to comment Share on other sites More sharing options...
kretmatt Posted April 24, 2007 Author Share Posted April 24, 2007 Hi nmX.MemnochThanks for your reply.But!If you're only granting read permissions then you don't need to deny write permissions.Thats not true, I think!If you do not explicit deny writing, the user is able to write in that folder.I am not sure if the user can change files, but he is able to create files and folders.Don´t ask me why! I do not understand why there are a allow and a deny column, at all.In my oppinion it´s like you said. If some thing is not allowed it is denied.But it seems, Microsoft has another concept for this! With your code I got the problem again. I only had allowed reading, but I do not deny writing.Isn´t there any way to set this little checks!?!?Please! Can somebody help me?!Thanks! Link to comment Share on other sites More sharing options...
[deXter] Posted April 24, 2007 Share Posted April 24, 2007 Just use CACLS like this:CACLS M:\ZBSCAN /G dpag_admin:RIt works- I just tried it out. You'll only be allowed read access. If you try to create any file, you'll get "Access is denied." You shouldn't explictly specify a deny flag. Link to comment Share on other sites More sharing options...
kretmatt Posted April 24, 2007 Author Share Posted April 24, 2007 Hi!Yes, you are right.CACLS M:\ZBSCAN /G dpag_admin:Rwill replace all ACLs, and about that dpag_admin is only allowd to read. But, that is not what I want. I just want to change the authority of this folder for the user dpag_admin.I do this with the /E switch.CACLS M:\ZBSCAN /E /G dpag_admin:RAnd if I don´t explicit deny the writing for him, he gets the rights from the Users group, and is allowed to write.So please, I know what I have to set. I just need to know HOW I can do it.allow readingdeny writingThere must be a way! Can´t believe that I am the only one with this problem!Thanks for your efforts, guys!Matze Link to comment Share on other sites More sharing options...
[deXter] Posted April 24, 2007 Share Posted April 24, 2007 Just do thisCACLS M:\ZBSCAN /G dpag_admin:Rfollowed by CACLS M:\ZBSCAN /E /G user1:FCACLS M:\ZBSCAN /E /G user2:FCACLS M:\ZBSCAN /E /G user3:FWhen you replace the ACLs with the first command, dpag_admin won't get the rights from the Users group. Once that is done, you can explicitly set full access rights to the other users instead of allowing the Users group. If you *want* to set ACLs to a whole Group, then create a special group for dpag_admin or the other users. Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted April 24, 2007 Share Posted April 24, 2007 If you do not explicit deny writing, the user is able to write in that folder.That's incorrect...unless, as you have stated, the user gets higher permissions from another group. By now you could've just set it up using the Security tab of the folder's properties. Personally...I use more groups that give me more granular control. Users that need only read permissions aren't members of a group that has write permissions. It makes things much easier to manage. Link to comment Share on other sites More sharing options...
kretmatt Posted April 24, 2007 Author Share Posted April 24, 2007 I DID IT! I found a freeware tool called SetACL.exe.With this you can just do what I want.You can set every check for allow and deny, without overwriting the other ones.I calledSetACL.exe -on "M:\ZBSCAN" -ot file -actn ace -ace n:dpag_admin;p:read_ex;m:grantto set the three checks for allow read, executeandSetACL.exe -on "M:\ZBSCAN" -ot file -actn ace -ace n:dpag_admin;p:write;m:denyto set the one check for deny write.That is all I want!Thanks for your help!Matze Link to comment Share on other sites More sharing options...
[deXter] Posted April 24, 2007 Share Posted April 24, 2007 I was going to recommend SetACL, but did you read my second reply? Link to comment Share on other sites More sharing options...
kretmatt Posted April 24, 2007 Author Share Posted April 24, 2007 I was going to recommend SetACL, but did you read my second reply?Yes!???What are you trying to tell me?I just want to make changes to one user, not to all, just to set one check! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now