I am trying to set the ACL/inheritance for a folder (or file) as follows:
icacls /inheritance:r /grant:r "builtin\administrators":(I)(F)
However, this produces an error (icacls doesn't recognize the "(I)" as being valid?).
According to icacls /?, (I) is one of the inheritance rights (along with (OI), (CI), (IO), and (NP)).
When I reset the perms on the object, the icacls command shows:
builtin\administrators:(I)(OI)(CI)(F)
So the '(I)' setting IS 'in there'. I suspect I need to go through some hoops to get this where it needs to be (i.e., builtin\administrators:(I)(F)), but after spending the better part of the day searching for examples and trying various routes, I'm still where I started.
Anyone know the trick to this?
Related
I tried this but it says "no permission"
#echo off
echo %~dp0
rd /s c:\$Recycle.Bin
pause
I need help.
Please
I'm not sure if this is possible as a regular user:
Googling "empty recycle bin commandline" led me to this URL, advising following command:
cleanmgr /sageset:1
This will indeed empty the recycle bin, but the tool seems to be interactive. I asked help via following command:
cleanmgr /?
But this gave me no clue on how to do this without user interaction.
Having just run the script myself, it looks like it does succeed in deleting the contents of the Recycling Bin. I also got the same permissions error you did.
However, I ran it again later as administrator and not only was the Recycling Bin deleted but it also did not give the permissions error. So its just a permissions bug and otherwise everything should behave as expected! You can probably run this without elevated permissions and be just fine, if you don't mind seeing the permission denied message. Probably better safe than sorry here.
Note: I daily drive Linux and am by no means an expert with Windows. I am not sure how dangerous the script is, but be careful with it regardless since it can delete files with elevated permissions (if you wanted to get rid of the permission denied messages).
Thank You
This was helpfull
:))
I have a batch file, whose purpose is to copy a directory from a network location and place it in the C: location of the user's system if it doesn't already exist. The problem is when the main user attempts this, the above message is displayed and the application subsequently errors out. BUT, when I run on my machine, to try and debug, it works just as it should with no problems.
I've seen a lot out there on this, but none where it works depending on the user. Also, most are about only working with network drives and not locals.
Here is the code. I am not the author of this .bat so let me know if something doesn't look quite right.
#echo off
echo Starting Application...
rem copy files over to the users local computer to prevent .dll problems when running App
C:
CD \
if not exist "C:\App" mkdir c:\App
CD App
robocopy "\\server\shared\fuller\Apps\ThisApp" c:\App /S robocopy.log
echo You may close this window or it will close by itself when the program is done.
ThisApp1.exe
I've tried using popd and pushd in various spots, but I'm not sure where I would put those, or even if it's applicable to this situation.
Put this line as the 2nd line (right after #echo off)
pushd %~dp0 & REM needed in case 'Run as Administrator' or executed from network drive
https://ss64.com/nt/pushd.html
Note that 'Run as Administrator' changes the current directory... this will put it back to where it was.
The problem I have is very persistent.
I have a self-extracting rar file, say files.rar.
This is being uncompressed in C:\Program Files (x86)\CompanyName\XDS\bin
Now this starts a batch file, install.bat, which is in the bin folder.
A 32 bit version of cmd.exe executes this batch file.
So far so good, this all works well.
But: I have to rename one file in the bin folder and delete another. You may wonder, why put a file in there that needs to be deleted? Well, I have a 32 and 64 bit version of a driver. Depending on the target, either one of these must be renamed to NatUSB.dll, while the other must be deleted.
If I run this batch file (simplified):
icacls natusb*.dll /inheritance:r /grant:r everyone:(OI)(CI)F
icacls natusb*.dll /T
rename NatUSB_32_ezusb.dll NatUSB32.dll
del NatUSB_32_winusb.dll
I have the following problems:
I need administrator rights and that is not acceptable for the
purpose of my company
Even then I get "Access is denied" for the
renaming, possibly since there exists already a NatUSB32.dll.
However, even as administrator I can not delete this file: "Access is
denied"
The del NatUSB_32_winusb.dll also gives "Access is denied"
Then I tried to copy the two files to bin2. Reason for this: if I do "icacls bin /T" the list of files I get permission info on is too long, so I hoped to get this info just for a few files. Unfuntunately, I get "Access is denied" (while trying to copy to bin2), even while file permissions for administrator and system are "Full control".
BTW, just icacls natusb*.dll /T does not give any permissions, this only seems to work for entire folders.
When I am in the XSD (parent) folder and do "icacls bin2 /inheritance:r /grant:r everyone:(OI)(CI)F"
Next, I do "icacls bin2 /T"
bin2 Everyone:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(F)
I still cant copy the few nat*.dll from bin to bin2.
If I try to set access rights on bin folder (very similar to above), I get "bin: The handle is invalid".
BTW, the permissions on bin are as follows:
bin NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
and as stated before, with icacls I can't change any of this. BTW, the security tab doesn't show duplicate groups or names.
In short: I have problems with renaming, deleting files (must urgent, to solve current problem) and also with copying files from C:\Program Files (x86)\XXX\XDS\bin to XDS\bin2.
To solve the problems, I need to use icacls or another build in command in a script to force the access rights. Setting access rights in the security tab of a folder is not acceptable: it needs to be done from script. Also: we can not install 3rd party software, certainly not if it is large or has a commercial license. A few kB, perhaps 1MB is for a free to use tool may be acceptable if all else fails.
The solution should also not require administrator rights.
This is your main problem:
icacls natusb*.dll /inheritance:r /grant:r everyone:(OI)(CI)F
The (OI)(CI) flags are only valid for directories, not for files. Because the flags are invalid, the permission is ignored. So the net effect of this command is to remove all permissions from the file, implicitly denying access to everyone, including administrators.
If you take out the invalid flags, the command will work as expected:
icacls natusb*.dll /inheritance:r /grant:r everyone:F
However, given your description of the problem, it looks as if you will require admin access, because the permissions on the existing folder are read-only for non-administrators. There's no way around that, unless you can install into a different folder (e.g., in the user's Application Data folder) or change the destination folder permissions in advance.
Note that changing the folder permissions is likely to introduce a security vulnerability.
I need users to be able to access and modify contents in a folder C:\VMs. I'm using https://ss64.com/nt/icacls.html as a guide. At the bottom of the page there is a list of commands to do exactly what I need, but the first command is not working.
In Powershell I am typing
icacls.exe "C:\VMware" /inheritance:r /grant:r testuser:(OI) (CI) (F)
and am getting the error
The term 'OI' is not recognized as the name of a cmdlet...
I've tried various iterations using different spacing and quotations and the likes but have not had any luck.
The problem is that brackets have a special meaning in Powershell. They must be quoted if they are to be passed as-is to an external program. The article you link to assumes that you are using the legacy command shell, which does not give brackets a special meaning in this context.
One way to make this work is to use the backtick as an escape character:
icacls test /grant Everyone:`(OI`)`(CI`)`(RX`)
Since you are running Windows 10, you can use the stop-parsing symbol instead:
icacls test --% /grant Everyone:(OI)(CI)(RX)
The stop-parsing symbol requires Powershell 3 or later, so it will not work out-of-the-box on a Windows 7 machine, but on Windows 10 you'll be fine.
Currently I am writing a powershell script to automate some security measures and I have run into a small problem.
icacls myDirectory /inheritance:r /grant:r 'Administrators:F' $myGroup + ':F'
will fail as $myGroup gets tacked onto the icacls call and fails to properly add permissions to both groups. This is on Windows 7 and from the context of powershell.
The parser sees $myGroup + ':F' as three individual arguments. You can use either:
"${myGroup}:F"
or
($myGroup + ':F')
to provide this info to the parser as one argument.