I am running a batch file as part of a larger application.
If certain conditions are met, a folder is created and permissions applied to the folder using icacls.
I have permission inheritance disabled on the parent folder, and I want to add to the ACL full permissions for the user "testuser".
I tried the following command...
icacls "V:\debugging\test" /grant testuser:F
The command completes successfully, however when logging in to the folder via CIFS, I do not have full permissions.
I can create files and folders but not modify them.
I cannot even rename a text file during creation, so I end up with a new file called 'New text document' and i have no permission to edit this.
What I need to happen is for the permissions to be applied to "V:\debugging\test" that allow me to read, modify and and write without exception and If possible I need those permissions to be inherited by any child folders that may be created.
Can anyone point me in the right direction?
Related
I'm not sure since which version, but the permissions for the files and subfolders inside the C:\ProgramData\Docker folder have changed. I'm not able to display the current owner and I'm not able to delete the contents of the volumes anymore.
Below image shows the permissions over the plugins folder, but every file and folder inside C:\ProgramData\Docker is showing the same thing.
The current user is a member of the groups Administrators and docker-users.
Is this a known issue for anyone and is there a nice way to fix this?
I'm running this command on a folder structure in order for all files and folders to recursively inherit the SYSTEM account with full control (and correct inheritance):
icacls V:\path\*.* /T /C /Q /grant SYSTEM:(OI)(CI)F
This appears to work as expected, but when I go into the advanced permissions settings, there are two permission entries for SYSTEM: One is inherited (as I'd expect), but then there is an additional entry which says "not inherited"..
Is it possible to add a flag so that only the inherited permission entry gets applied?
I'm confused as to why two entries need to be added to each file and folder.
I've thoroughly read the icacls /? documentation and attempted many different combinations to no avail.
Many thanks for any suggestions.
If you inherit permissions from parent and add specific permissions for an account that is already inherited, you will always have 2 (or more) entries for that account.
If you want just the 1 entry, you'll have to either remove the account from parent, or stop inheriting from parent and specifically set permissions.
Someone recently raised a bug against a filter driver I've been working on. They said that I'd made it possible for a limited user to delete Windows files even if they remove the permissions on the file for the user to be able to do that.
I've been looking at it and it's nothing to do with my driver, even a fresh install of Windows allows this. If you:
Logon as a user called "limiteduser" who's a non admin.
Create a text file
Edit the security for the file
Remove inherited permissions and remove "limiteduser" from having any rights to the file.
Once you've done this you find that:
You can't changed the contents of the file.
You can't rename/move the file or send it to the recycle bin
However you can:
Delete the file in explorer with shift-delete
Delete the file with cmd.exe (del myfile.txt)
Why is this? Is deleting files always a property of the parent folder? And if so why isn't renaming files?
I know this answer isn't complete at all, but I hope it will be helpful nonetheless.
You didn't mention which version of Windows you are using, but as the ones that use any version of the NTFS file system should behave the same I believe it doesn't matter.
The documentation on "File and Folder Permissions" in Windows 2008 Server states that:
Groups or users that are granted Full Control on a folder can delete any files in that folder, regardless of the permissions protecting the file.
So it would appear that part of the answer to your question:
Why is this? Is deleting files always a property of the parent folder? And if so why isn't renaming files?
would be that deleting is indeed a property of the parent folder - it looks to me that it's the Delete Subfolders and Filesspecial permission that allows you to override the permissions on the file.
Why the "Full Control" permission on the folder won't give rename permission is unclear to me, but my guess is that it's actually only Delete Subfolders and Filesthat has the power to override; to rename a file you would have to have permissions to write too.
I'm guessing that the reason that "Shift-Del" in Explorer and "del" in cmd works and not "Recycle" would be that recycling is a move/change operation.
See this Technet article for reference: How Permissions Work
I want to move a folder from one drive (e.g. C) to another (say D) without its security descriptor changed. SHFileOperation can move the folder, but new folder on D always inherit the permission from the parent folder. Not to impact other subfolders under the same parent folder, I cannot change the parent folder to stop propogating its permissions to its children.
I have used SetSecurityDescriptorControl with SE_DACL_PROTECTED to disable inherit when creating the folder on C. It seems not to work when move folder cross volumn. I also tried to set security info for the new folder on D, by removing old ACEs. However, those inherited ACEs cannot be removed.
There is a registry ForceCopyAclwithFile (http://thedailyreviewer.com/server/view/copy-folder-w-user-permission-intact-10274759) but I don't want to use it because of its global system impact.
How can I use windows API to move a folder cross disks without permission change? What did I miss here?
Thanks
Leon
You can use BackupRead and BackupWrite to move directories across volumes with NTFS security intact.
BackupRead: http://msdn.microsoft.com/en-us/library/aa362509(VS.85).aspx
BackupWrite: http://msdn.microsoft.com/en-us/library/aa362511(VS.85).aspx
You will need to create the folder at the destination first, then open both folders using CreateFile in order to get handles to them.
Your process will need to obtain the Backup and Restore privileges and you need to pass FILE_FLAG_BACKUP_SEMANTICS into CreateFile.
I installed my application in Windows 7 and as part of the installation, it installs some text files. Now, if I open the text file in notepad and try to save it, I get an "Access denied" error. I'm logged in as administrator on the machine and the file is not marked read only and security permissions seem to be fine.
However, I could delete or rename the file without any problem and I could create a new file with the same name/location using notepad and the save works fine.
I understand it has something to do with UAC. I'm wondering what UAC does in order to block access to the file. Our application is not installed in Program files folder as I believe UAC restrict any changes to files in Program Files folder
Can anyone throw light on what is going on.
regards
G
With UAC, just because you're logged in as a user with administrator privileges does not mean a program actually runs with them. The program has to either request privilege elevation (which gives the "Do you want to allow this program to _____" UAC pop-up) or explicitly be run as administrator (right-click on the program/shortcut and choose Run as Administrator).
By default most areas of the drive outside of the standard "user files" (a.k.a. My Documents & co.) are restricted to administrator-only access, but the folder permissions can be changed to add access for a particular user if desired.
You will find that saving files almost anywhere except the "my documents" area for the user will be restricted, this includes saving to other drives on the system etc.
If you check the permissions for the directory you are trying to write to, all you have to do is expressely give the user permission. Otherwise only the admins have permission, which requires UAC approval from the user to get the admin token.
You normally get "Access Denied" error when the file is in use. UAC could not be an issue here. Check out if the file is in use by anyother process.
You can use tools like Process Explorer from sysinternals to do that.
You have to right click the file and select properties. THen open the security tab and you can see different accounts with differet privelages. Click USERS and it should highlight. The box under it should have a bunch of check marks that indicate what this user can do. Click Full Control. Apply and Okay. Then you can save!!!