ACL setting utility

[Guest]

Does anyone know of a utility that can be used to set the ACLs of a group of
files? In particular, I am trying to keep Windows Media Player 11 from
wiping out my custom album art and need to remove any modify or delete
permissions for all users including system and myself.

If I search for Folder.jpg from the root of my media library, I can set the
read-only attrubute which, in spite of suggestions from some Microsoft
employees that this will stop the problem, does not stop WMP 11 from
overwriting my album art with 200x200 pixel artwork. I cannot, from the
search results, set the NTFS permissions as a group; I'd have to select each
file, one at a time, to change. With 2000+ files, that really isn't an
option.

The only option left is to use NTFS permissions to block anyone from
changing these files. And if I ever try to delete the files after setting
the permissions, I need to easily return the permissions back to allow me to
edit or delete when I really want to.

So, what I am looking for is a good ACL editor that can do wildcards, etc.

Any suggestions?

Thanks,

Dale

 

[Andrew McLaren]

Does anyone know of a utility that can be used to set the ACLs of a group
of
files? In particular, I am trying to keep Windows Media Player 11 from
wiping out my custom album art and need to remove any modify or delete
permissions for all users including system and myself.

Hi Dale,

icacls.exe is Windows' built-in command line tool, to edit ACLs.

The syntax is a little bit, uh, convoluted; so be careful you have the right
parameters before you blat 2,000 files. But, it certainly does the job, and
handles wildcards.

Run "icacls /?" for the syntax and examples.

There may be 3rd party GUI tools to do the same job, if you don't like the
command line.

Hope it helps,

 

[Guest]

I just can't seem to get the right combination of options for icacls. No
matter what deny permission I add, then I cannot access the files at all,
even to read or execute. For instance:

icacls folder*.jpg /deny DaleD) /T

should, as far as I can tell, only add a deny delete permission for me. If
I look at the advanced security properties on one of the files, that
assumption appears to be confirmed and yet I cannot open the file at all.

If I run

icacles folder*.jpg /reset /T

then the discretionary ACL is removed and inheritance rules allow me to
access the files again.

With the deny delete permission, I do get a UAC prompt before I can delete
the file but I can't even open the file.

Any suggestions?

 

[Andrew McLaren]

I just can't seem to get the right combination of options for icacls. No
matter what deny permission I add, then I cannot access the files at all,
even to read or execute. For instance:

Aww c'mon ... any MCSE should be able to work it out

I suggest you Grant yourself the (R) Read-only permission, rather than
trying to Deny specific rights. Working with specific rights is too
fine--grained for most purposes. A Read-Only permission mask will prevent
you from deleteing, but will still let you read the file.

 

[Guest]

Well, being a MCSE does not mean I know everything or that colaberation
with others is not a useful and efficient means for solving a problem. It is
in my signature here only so it is clear we can talk in technical terms and I
will understand.

The problem with granting read-only access is that I am part of other groups
that have more access - such as Authenticated users and Users. Since granted
permissions combine, that still does not protect my files.

To remove the inherited permissions from Users and Authenticated users, I
have to remove those parent permissions which would remove permissions from
the media files and everything else. I'd like to avoid that level of detail
in my permissions and to find the simplest way of getting the result. It
sure seems to me that denying delete and write should do it but, in Vista, it
just doesn't seem to work like it has in previous OSs.

 

[Andrew McLaren]

Well, being a MCSE does not mean I know everything or that colaberation

with others is not a useful and efficient means for solving a problem. It
is

I know (and agree) ... I was just joshing with ya ) There are many naive
users here; with (ahem) naive questions. So it's a pleasure to get an
interesting question, from a skilled user.

The problem with granting read-only access is that I am part of other
groups
that have more access - such as Authenticated users and Users. Since
granted
permissions combine, that still does not protect my files.

It might take a bit of tweaking to find the right combination of
permissions. The original question was "is there an ACL editor?" and I
answered: Yes, icacls. But as to how you would actually *use* icacls - well,
that is left as an exercise for the reader

Often it would be sufficient just to not grant the Delete right, without
necessarily specifically Denying it. But note that, if users don't have the
Delete permission on a file, they can still delete it,if they have the
Delete Subfolders And Files permission on the parent directory. On the whole
I suspect you're going to haveto kill inheritance from the parent directory.
My personal preference is to avoid Denying rights unless
absolutelnecessary - denied rights tend to cause many weird and unexpected
permissions errors (in my experience). Better just to not grant the right.

An alternative to icacls is SubinACL:
http://www.microsoft.com/downloads/...56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
It's pretty similar, but -
- can configure ACLs on many types of object, besides just file system; and
- has some better handling for SDDL strings (see
http://www.microsoft.com/technet/community/columns/secmgmt/sm1105.mspx)

Good luck with it,