Difference between revisions of "Windows/SetACL"
Jump to navigation
Jump to search
(→Howto) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 11: | Line 11: | ||
And to do it for the whole sub-tree |
And to do it for the whole sub-tree |
||
-rec cont_obj |
-rec cont_obj |
||
=== Revoke user privileges === |
|||
SetACL -on "<span class="input"><Path></span>" |
|||
-ot file |
|||
<span class="highlight">-actn ace -ace "n:<span class="input">domain\user</span>;p:full;m:<span class="input">revoke</span>" |
|||
And do it recursivley with the line below |
|||
-rec cont_obj</span> |
|||
=== Owner change === |
=== Owner change === |
||
==== Recursively change owner on directories and files ==== |
==== Recursively change owner on directories and files ==== |
||
| Line 17: | Line 24: | ||
<span class="highlight">-actn setowner -ownr "n:<span class="input">domain\user</span>" |
<span class="highlight">-actn setowner -ownr "n:<span class="input">domain\user</span>" |
||
-rec cont_obj</span> |
-rec cont_obj</span> |
||
=== Inheritance of directories === |
=== Inheritance of directories === |
||
==== Take away inheritance, don't copy permission ==== |
==== Take away inheritance, don't copy permission ==== |
||
| Line 39: | Line 47: | ||
* [http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/ SetACL documentation] |
* [http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/ SetACL documentation] |
||
* [http://support.microsoft.com/kb/243330/en-us Microsoft KB for well-known security identifiers] |
* [http://support.microsoft.com/kb/243330/en-us Microsoft KB for well-known security identifiers] |
||
[[Category:Windows]] |
|||
Latest revision as of 22:37, 17 June 2012
SetACL is a very powerful commandline tool that can help automate some of the more tedious permission setting tasks on Windows.
Windows ACLs are quite a bit more sophisticated than the Unix implementations I have come across so far. So SetACL is not for the faint of heart. Since I don't use it on a regular basis I forget most of the stuff until the next time. This document should help list some of the pain.
Howto
List permission
SetACL -on "<Path>" -ot file -actn list -lst "w:d,s,o,g"
And to do it for the whole sub-tree
-rec cont_obj
Revoke user privileges
SetACL -on "<Path>" -ot file -actn ace -ace "n:domain\user;p:full;m:revoke"
And do it recursivley with the line below
-rec cont_obj
Owner change
Recursively change owner on directories and files
SetACL -on "<Path>" -ot file -actn setowner -ownr "n:domain\user" -rec cont_obj
Inheritance of directories
Take away inheritance, don't copy permission
SetACL -on "<Path>" -ot file -actn setprot -op "dacl:p_nc;sacl:nc"
Ensure there are non-inherited users already present or add a line like the one below
-actn ace -ace "n:domain\user;p:full"
With an addtional line we can reset the permission of all the sub-directories and files and only inherit from the path specified in -on
-actn rstchldrn -rst "dacl"
Take away inheritance, copy permission
SetACL -on "<Path>" -ot file -actn setprot -op "dacl:p_c;sacl:nc"
Inherit from parent
SetACL -on "<Path>" -ot file -actn setprot -op "dacl:np;sacl:nc"