Usage of SubInACL.exe Please Help

[kretmatt]

Hi!

I just want to do a really easy thing. I want to change the permissions of a folder for a user to the following:

allow reading

deny writing

I can do this very simple from the properties dialog of the folder, but I want to do it from the commandline.

I tryed to use SubInACL.exe like this.

subinacl.exe /file M:\ZBSCAN /grant=dpag_admin=r

everything seems fine.

but than i call

subinacl.exe /file M:\ZBSCAN /deny=dpag_admin=w

to ADD the write deny, but it is not added, it replaces my first grant call.

About that after the two calls the permissions only setted to deny writing.

I allready tryed to turn the order, but then I only get the allow reading setted.

I also tryed to use only one command like

subinacl.exe /file M:\ZBSCAN /grant=dpag_admin=r /deny=dpag_admin=w

but nothing works.

Can please somebody help my!

Thank you very much in advanced!

Matze

[nmX.Memnoch]

SubInACL is a little tricky. Grab the EXE version of XCACLS and give that a try. Once you 'install' it on one system then XCACLS.EXE can be copied to any other system.

[kretmatt]

Thanks nmX.Memnoch

but I allready tryed XCACLS.EXE.

I was unable to set deny settings with this tool.

Can you give me a hint how to do this?

Thanks

[nmX.Memnoch]

Wait...all you want to do is grant that group read access, but not write access? That's easy. If you're only granting read permissions then you don't need to deny write permissions. Read permissions is just that...it only gives them access to look at what's in the directory, not to make any changes.

Run the following two commands. The first one will completely revoke any permissions the group already has on directory and all subdirectories/files. The second command will add them back with only read permissions.

XCACLS M:\ZBSCAN /T /E /R dpag_admin

XCACLS M:\ZBSCAN /T /E /G dpag_admin:R

Remember, if it's a domain group then you should specify the group as DOMAIN\dpag_admin.

[kretmatt]

Hi nmX.Memnoch

Thanks for your reply.

But!

If you're only granting read permissions then you don't need to deny write permissions.

Thats not true, I think!

If you do not explicit deny writing, the user is able to write in that folder.

I am not sure if the user can change files, but he is able to create files and folders.

Don´t ask me why! I do not understand why there are a allow and a deny column, at all.

In my oppinion it´s like you said. If some thing is not allowed it is denied.

But it seems, Microsoft has another concept for this!

With your code I got the problem again. I only had allowed reading, but I do not deny writing.

Isn´t there any way to set this little checks!?!?

Please! Can somebody help me?!

Thanks!

[[deXter]]

Just use CACLS like this:

CACLS M:\ZBSCAN /G dpag_admin:R

It works- I just tried it out. You'll only be allowed read access. If you try to create any file, you'll get "Access is denied." You shouldn't explictly specify a deny flag.

[kretmatt]

Hi!

Yes, you are right.

CACLS M:\ZBSCAN /G dpag_admin:R

will replace all ACLs, and about that dpag_admin is only allowd to read. But, that is not what I want. I just want to change the authority of this folder for the user dpag_admin.

I do this with the /E switch.

CACLS M:\ZBSCAN /E /G dpag_admin:R

And if I don´t explicit deny the writing for him, he gets the rights from the Users group, and is allowed to write.

So please, I know what I have to set. I just need to know HOW I can do it.

allow reading

deny writing

There must be a way! Can´t believe that I am the only one with this problem!

Thanks for your efforts, guys!

Matze

[[deXter]]

Just do this

CACLS M:\ZBSCAN /G dpag_admin:R

followed by

CACLS M:\ZBSCAN /E /G user1:F

CACLS M:\ZBSCAN /E /G user2:F

CACLS M:\ZBSCAN /E /G user3:F

When you replace the ACLs with the first command, dpag_admin won't get the rights from the Users group. Once that is done, you can explicitly set full access rights to the other users instead of allowing the Users group. If you *want* to set ACLs to a whole Group, then create a special group for dpag_admin or the other users.

[nmX.Memnoch]

If you do not explicit deny writing, the user is able to write in that folder.

That's incorrect...unless, as you have stated, the user gets higher permissions from another group. By now you could've just set it up using the Security tab of the folder's properties.

Personally...I use more groups that give me more granular control. Users that need only read permissions aren't members of a group that has write permissions. It makes things much easier to manage.

[kretmatt]

I DID IT!

I found a freeware tool called SetACL.exe.

With this you can just do what I want.

You can set every check for allow and deny, without overwriting the other ones.

I called

SetACL.exe -on "M:\ZBSCAN" -ot file -actn ace -ace n:dpag_admin;p:read_ex;m:grant

to set the three checks for allow read, execute

and

SetACL.exe -on "M:\ZBSCAN" -ot file -actn ace -ace n:dpag_admin;p:write;m:deny

to set the one check for deny write.

That is all I want!

Thanks for your help!

Matze

[[deXter]]

I was going to recommend SetACL, but did you read my second reply?

[kretmatt]

I was going to recommend SetACL, but did you read my second reply?

Yes!

???

What are you trying to tell me?

I just want to make changes to one user, not to all, just to set one check!