Welcome to Sign in | Join | Help
in
Home Blog Forums

The Lazy Admin

ICACLS.EXE : ACL command line management

Sponsor

Ever wanted to backup your ACLs for every file in a folder? With Windows Vista, and Microsoft Windows Server 2003 SP2 a new tool has been released called ICACLS.

To backup the ACLs of every file in a directory type:

icacls * /save aclfile.txt

This command saves the ACLs of all the files in the directory to a file called aclfile.txt. You can add "/T" to include all the subfolders.

You can later restore that file using the /restore aclfiles.txt.

This is great when an application or administrator makes changes to the ACLs and then forgets what they changed when it causes a problem.

You can also modify the ACE of a file this is the "Access Control Entry" it controls how different processes can access files. You do this by changing the Integrity Level of a file to Low Medium or High. The Integrity Level or IL indicates if a process may access a particular file. When a process launches it is given an IL typically the same IL as its parent process.

You can see the Integrity Level of your processes using a tool like processexplorer

This is useful if you have sensitive files that you don't low permission processes accessing. For example IE runs with a low integrity level automatically so it can't access files on the system that have a medium or high IL.

To change the IL on a file type:

icacls filename.ext /setintegritylevel L

This will set the Integrity Level to Low. M or H will set it to medium or high respectively.

Finally another great feature in ICACLS is the ability to set permissions to a large number of folders and subfolders without using inheritance. This is great because in our never perfect worlds we often get requests to give permissions to a large directory tree, like a departmental share drive. This often contains lots of folders with lots of specific permissions. Often your first reaction is to add the user into the ACL and force inheritance on all other folders. This can cause major issues if sub folders had inheritance disabled to provide specific permissions for a user. User ICACL we can avoid this issue.

To propagate a new permission to a large number of files and subfolders use:

icacls * /grant accountName:(NP)(RX) /T

The * is the file filter, The accountName is the account name you wish to apply to the files and folders. NP is the parameter used to specify that ICACLS should not set the inherit parent permission to on. RX stands for Read and Execute. (To get a full list of these parameters type in ICACLS/?) and /T instructs ICACLS to apply this to all folders and subdirectories. Below is a sample output for that operation:

These are some of the neat things. With ICACLS we can now script ACL changes, and get a better granular control over permissions.





Published Thursday, June 28, 2007 8:30 AM by daniel.nerenberg

Comments

No Comments
Anonymous comments are disabled

About daniel.nerenberg

I am an MCT, Consultant based out of Montreal Quebec Canada. As the "new" Lazy Admin on the block I am working to make TheLazyAdmin.com the best website for MS Software tips and tricks out there!

This Blog

Sponsor

 

Syndication

Advertising

Get a free 5GB e-mail account @isalazyadmin.com

Affiliates

Canadian IT Professionals

Canadian IT Managers

Certifications & Awards


All postings are provided "AS IS" with no warranties, and confer no rights.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright TheLazyAdmin Inc. All Rights Reserved 2004-2008