Discussion:
Xcacls switchs / file permission inheritance
(too old to reply)
magnum42
2010-04-30 16:31:01 UTC
Permalink
Hi,

I have a problem with xcacls.vbs
We have 2 groups ready for each folder (one for Read, one for Modification
permissions).

For example :
Fold1
Fold2
Fold2_Sub1
Fold2_Sub2
Fold_2_Sub2_Sub1
Fold_2_Sub2_Sub2
...
cscript xcacls.vbs "\\server\g$\Share\Fold1" /E /G "DOM\Fold1-R":X /F
cscript xcacls.vbs "\\server\g$\Share\Fold1" /E /G "DOM\Fold1-M":M /F
cscript xcacls.vbs "\\server\g$\Share\Fold2" /E /G "DOM\Fold2-R":X /F
cscript xcacls.vbs "\\server\g$\Share\Fold2" /E /G "DOM\Fold2-M":M /F
cscript xcacls.vbs "\\server\g$\Share\Fold2\Fold2_Sub1" /E /G
"DOM\Fold2_Sub1-R":X /F
cscript xcacls.vbs "\\server\g$\Share\Fold2\Fold2_Sub2" /E /G
"DOM\Fold2_Sub2-M":M /F
...

Why I do this, the read and change groups are ok on the first level, but the
go down every level on the files.
We also tried using the "/SPEC D" switch, but the permissions continue to
inherit every level, most of the time only on the files.

Each folder needs to have their two groups (read and change), but nothing
should inherit down to subfolders, except for the security ACE's put on top,
on the share itself.


I'm tired (and french), so I hope I'm clear enough. Please help.

Thanks a lot.
--
Franck
http://supermarches.faire-le-bon-choix.fr
magnum42
2010-05-05 14:44:01 UTC
Permalink
Hi,

OK, I found the solution for my problem.
I new xcacls.exe had been "replaced" by xcacls.vbs, but apparently,
xcacls.vbs has now been "replaced" by icacls.exe ... at least for Windows
Server 2008 (my server). Confusing ...

So it works perfectly with icacls :
Read :
icacls \\server\g$\Services\DFSP /grant DL-S-Services.DFSP-L:(OI)(NP)RX
Write :
icacls \\server\g$\Services\DFSP /grant DL-S-Services.DFSP-M:(OI)(NP)M

These are the correct options (for my needs listed in my frst post).

BTW, watch out for the switchs. For example, the change/modify permission is :
xcacls.exe : C (Change)
xcacls.vbs : M (Modify)
icacls.exe : M (Modify)
--
Franck
http://supermarches.faire-le-bon-choix.fr
Post by magnum42
Hi,
I have a problem with xcacls.vbs
We have 2 groups ready for each folder (one for Read, one for Modification
permissions).
Fold1
Fold2
Fold2_Sub1
Fold2_Sub2
Fold_2_Sub2_Sub1
Fold_2_Sub2_Sub2
...
cscript xcacls.vbs "\\server\g$\Share\Fold1" /E /G "DOM\Fold1-R":X /F
cscript xcacls.vbs "\\server\g$\Share\Fold1" /E /G "DOM\Fold1-M":M /F
cscript xcacls.vbs "\\server\g$\Share\Fold2" /E /G "DOM\Fold2-R":X /F
cscript xcacls.vbs "\\server\g$\Share\Fold2" /E /G "DOM\Fold2-M":M /F
cscript xcacls.vbs "\\server\g$\Share\Fold2\Fold2_Sub1" /E /G
"DOM\Fold2_Sub1-R":X /F
cscript xcacls.vbs "\\server\g$\Share\Fold2\Fold2_Sub2" /E /G
"DOM\Fold2_Sub2-M":M /F
...
Why I do this, the read and change groups are ok on the first level, but the
go down every level on the files.
We also tried using the "/SPEC D" switch, but the permissions continue to
inherit every level, most of the time only on the files.
Each folder needs to have their two groups (read and change), but nothing
should inherit down to subfolders, except for the security ACE's put on top,
on the share itself.
I'm tired (and french), so I hope I'm clear enough. Please help.
Thanks a lot.
--
Franck
http://supermarches.faire-le-bon-choix.fr
magnum42
2010-05-08 10:42:01 UTC
Permalink
OK, juste a last little update to my post, with what I finally did, if
someone's interested :

On the nodes (so people cannot create files and folders) :
icacls G:\Services\DFSP /grant DL-S-Services.DFSP-L:(OI)(NP)(IO)(RX)
icacls G:\Services\DFSP /grant DL-S-Services.DFSP-M:(OI)(NP)(IO)(M)
icacls G:\Services\DFSP /grant DL-S-Services.DFSP-L:(S,RD,X)
icacls G:\Services\DFSP /grant DL-S-Services.DFSP-M:(S,RD,X)

On the "leaves" (last folders) so people CAN create new folders/files :
icacls G:\Services\DFSP\DAF\CDG /grant
DL-S-Services.DFSP.DAF.CDG-L:(OI)(CI)(IO)(RX)
icacls G:\Services\DFSP\DAF\CDG /grant
DL-S-Services.DFSP.DAF.CDG-M:(OI)(CI)(IO)(M)
icacls G:\Services\DFSP\DAF\CDG /grant DL-S-Services.DFSP.DAF.CDG-L:(S,RD,X)
icacls G:\Services\DFSP\DAF\CDG /grant
DL-S-Services.DFSP.DAF.CDG-M:(S,RD,WD,AD,X)
--
Franck
http://supermarches.faire-le-bon-choix.fr
Post by magnum42
Hi,
OK, I found the solution for my problem.
I new xcacls.exe had been "replaced" by xcacls.vbs, but apparently,
xcacls.vbs has now been "replaced" by icacls.exe ... at least for Windows
Server 2008 (my server). Confusing ...
icacls \\server\g$\Services\DFSP /grant DL-S-Services.DFSP-L:(OI)(NP)RX
icacls \\server\g$\Services\DFSP /grant DL-S-Services.DFSP-M:(OI)(NP)M
These are the correct options (for my needs listed in my frst post).
xcacls.exe : C (Change)
xcacls.vbs : M (Modify)
icacls.exe : M (Modify)
--
Franck
http://supermarches.faire-le-bon-choix.fr
Post by magnum42
Hi,
I have a problem with xcacls.vbs
We have 2 groups ready for each folder (one for Read, one for Modification
permissions).
Fold1
Fold2
Fold2_Sub1
Fold2_Sub2
Fold_2_Sub2_Sub1
Fold_2_Sub2_Sub2
...
cscript xcacls.vbs "\\server\g$\Share\Fold1" /E /G "DOM\Fold1-R":X /F
cscript xcacls.vbs "\\server\g$\Share\Fold1" /E /G "DOM\Fold1-M":M /F
cscript xcacls.vbs "\\server\g$\Share\Fold2" /E /G "DOM\Fold2-R":X /F
cscript xcacls.vbs "\\server\g$\Share\Fold2" /E /G "DOM\Fold2-M":M /F
cscript xcacls.vbs "\\server\g$\Share\Fold2\Fold2_Sub1" /E /G
"DOM\Fold2_Sub1-R":X /F
cscript xcacls.vbs "\\server\g$\Share\Fold2\Fold2_Sub2" /E /G
"DOM\Fold2_Sub2-M":M /F
...
Why I do this, the read and change groups are ok on the first level, but the
go down every level on the files.
We also tried using the "/SPEC D" switch, but the permissions continue to
inherit every level, most of the time only on the files.
Each folder needs to have their two groups (read and change), but nothing
should inherit down to subfolders, except for the security ACE's put on top,
on the share itself.
I'm tired (and french), so I hope I'm clear enough. Please help.
Thanks a lot.
--
Franck
http://supermarches.faire-le-bon-choix.fr
Loading...