| Author |
Message |
Mark B
Guest
|
 Posted:
Sat Jan 29, 2005 6:47 am Post subject:
XCACLS utility help |
|
|
Hi all,
I work in a school environment, and have taken over administration of the
school's servers. I have just created over 1000 users and their assosciated
home folders.
I need to prevent users from deleting their own home folder (H:\<username>).
By default, when the folder is created, the user has this right.
Using XCACLS on a 2003 Server, what is the command to do this? I can ALLOW
each user the "special access" to DELETE the folder, but am unsure of the
switch to DENY the right. This is what I need to achieve:-
Denying the users the right to delete their home folder (but not
sub-folders), and
removing the "allow inheritable permissions" on the folder.
If I set the permissions using the GUI, and then run XCACLS, this is what is
reported:-
Processed directory FRED
D:\Users\FRED MyServer\FRED:(DENY)(special access:)
DELETE
Builtin\Administrators:(OI)(CI)F
MyServer\Fred:(OI)(CI)F
I cannot seem to replicate that "DENY" part of the special access! What is
the switch?!?!?
Many thanks,
Mark |
|
| Back to top |
|
 |
Roger Abell
Guest
|
| Posted:
Sat Jan 29, 2005 6:47 am Post subject:
Re: XCACLS utility help |
|
|
xcacls.exe does not have that granularity available for deny
You could download xcacls.vbs which does allow for finer
control of special access ACEs, including denies, and will
do what you are attempting.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bda&DisplayLang=en
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Mark B" <mark@mosaiccomputers.com.au> wrote in message
news:%23utBEDaBFHA.2076@TK2MSFTNGP15.phx.gbl...
| Quote: | Hi all,
I work in a school environment, and have taken over administration of the
school's servers. I have just created over 1000 users and their
assosciated
home folders.
I need to prevent users from deleting their own home folder
(H:\<username>).
By default, when the folder is created, the user has this right.
Using XCACLS on a 2003 Server, what is the command to do this? I can ALLOW
each user the "special access" to DELETE the folder, but am unsure of the
switch to DENY the right. This is what I need to achieve:-
Denying the users the right to delete their home folder (but not
sub-folders), and
removing the "allow inheritable permissions" on the folder.
If I set the permissions using the GUI, and then run XCACLS, this is what
is
reported:-
Processed directory FRED
D:\Users\FRED MyServer\FRED:(DENY)(special access:)
DELETE
Builtin\Administrators:(OI)(CI)F
MyServer\Fred:(OI)(CI)F
I cannot seem to replicate that "DENY" part of the special access! What is
the switch?!?!?
Many thanks,
Mark
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sat Jan 29, 2005 6:47 am Post subject:
Re: XCACLS utility help |
|
|
I never could quite get xcacls to work the way I wanted for special access.
Take a look at fileacl instead. It is available on Microsoft's website and
it is very powerful. Be sure to play around on a test machine first before
you go "live" and of could even then have a backup before starting. The link
below is to fileacl and explains a lot of what it can do. Also see the link
about xacls.vbs which is an update to xacls, though I have not used that
myself yet. --- Steve
http://www.gbordier.com/gbtools/fileacl.htm -- fileacl
http://support.microsoft.com/default.aspx?scid=kb;en-us;825751 -- xacls.vbs
"Mark B" <mark@mosaiccomputers.com.au> wrote in message
news:%23utBEDaBFHA.2076@TK2MSFTNGP15.phx.gbl...
| Quote: | Hi all,
I work in a school environment, and have taken over administration of the
school's servers. I have just created over 1000 users and their
assosciated home folders.
I need to prevent users from deleting their own home folder
(H:\<username>). By default, when the folder is created, the user has this
right.
Using XCACLS on a 2003 Server, what is the command to do this? I can ALLOW
each user the "special access" to DELETE the folder, but am unsure of the
switch to DENY the right. This is what I need to achieve:-
Denying the users the right to delete their home folder (but not
sub-folders), and
removing the "allow inheritable permissions" on the folder.
If I set the permissions using the GUI, and then run XCACLS, this is what
is reported:-
Processed directory FRED
D:\Users\FRED MyServer\FRED:(DENY)(special access:)
DELETE
Builtin\Administrators:(OI)(CI)F
MyServer\Fred:(OI)(CI)F
I cannot seem to replicate that "DENY" part of the special access! What is
the switch?!?!?
Many thanks,
Mark
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in