You are here: Foswiki>KnowledgeBase Web>WindowsFileAccessRights (21 Feb 2023, NickDemou)Edit Attach

Windows File Access Permissions

See also WindowsFileSharingRights

See also https://wiki.enlogic.gr/KnowledgeBase/PowerShellScripts#Recursively_take_ownership_of_a_directory_without_permission_errors

Examples I've used 

$dir = "C:\Program Files\WindowsPowerShell\Modules\Pester"
takeown /F $dir /A /R
icacls $dir /reset
icacls $dir /grant "*S-1-5-32-544:F" /inheritance:d /T

icacls "C:\temp" /grant "Everyone":(OI)(CI)F
# grant everyone full permissions to c:\temp

icacls "file1" /remove "NT AUTHORITY\Authenticated Users" 
#   /remove[:[g|d]] User 
#       Remove all occurrences of User from the acl. 
#       :g remove all granted rights to that User/Sid.
#       :d remove all denied rights to that User/Sid.
      
icacls "file1" /inheritance:r 
#   /inheritance:e|d|r
#          e - Enable inheritance
#          d - Disable inheritance and copy the ACEs 
#          r - Remove all inherited ACEs

get-acl "file1" | set-acl "file2"
#   copy permissions from one file to the other

icacls "C:\fserver" /Q /C /inheritance:r /grant:r Administrators:(OI)(CI)F

icacls "C:\folder" /t /c /l /q  /reset
# This is equivalent to “Replace all child permission entries with inheritable permission from this object”
#   /C  Continue on file errors (access denied) Error messages are still displayed.
#   /Q  Quiet - suppress success messages.
#   /T  Traverse recursively the tree of subfolders/files

ICACLS C:\folder /GRANT Everyone:F /T
# Grant full control to Everyone on a folder and all subfolders/files

[LOW QUALITY NOTES] From the command Line (icacls & powershell)

Use icacls to manipulate them (very good reference and examples here)

Powershell has Get/Set-ACL. e.g. to view ACLs: 
Get-Acl -Path "E:\archive\topo\PALIES ERG ZAX" | Format-Table -Wrap

And you can copy the ACLs from one folder to another very easily: 
$Acl = Get-Acl "C:\From_Folder_A"
Set-Acl "C:\To_Folder_B" $Acl

To grant everyone full permissions to c:\temp (the equivalent to the much more terse icacls "C:\temp" /grant "Everyone":(OI)(CI)F ) 
$FilesAndFolders = gci "c:\temp" -recurse | % {$_.FullName}
foreach($FileAndFolder in $FilesAndFolders)
{
    #using get-item instead because some of the folders have '[' or ']' character and Powershell throws exception trying to do a get-acl or set-acl on them.
    $item = gi -literalpath $FileAndFolder 
    $acl = $item.GetAccessControl() 
    $permission = "Everyone","FullControl","Allow"
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.SetAccessRule($rule)
    $item.SetAccessControl($acl)
}

[LOW QUALITY NOTES] Example Of Setting Permissions

To reset NTFS permissions from the command line (the same as using the GUI command "[_] Replace all child object permissions with inheritable permissions from this object"): 

icacls "c:\users\jshipp\*" /q /c /t /reset

[LOW QUALITY NOTES] More examples

(from https://technet.microsoft.com/en-us/library/2009.07.geekofalltrades.aspx)

Let's walk through the entire set of icacls command lines you would use to reset and correctly apply the stated permissions to the Finance folder structure as well as its root: 

Icacls C:\Shared /inheritance:r /grant:r "Domain Users":(OI)(CI)R /grant:r 
   "File Admins":(OI)(CI)F

Icacls C:\Shared\Finance /inheritance:r /grant:r "Finance Users":(OI)(CI)R /grant:r 
   "File Admins":(OI)(CI)F

Icacls C:\Shared\Finance\Budget /grant:r "Budget Users":(OI)(CI)M
Icacls C:\Shared\Finance\Metrics /grant:r "Metrics Users":(OI)(CI)M
The first line actually accomplishes two tasks. It starts with the "/inheritance:r" switch to completely remove all inherited permissions from the folder above so that the Shared folder doesn't inherit. This breaks the Shared folder's inheritance from the folder immediately above it. Once this is done, the Read(R) permission for is set for Domain Users and the Full Control(F) permission for File Admins.
Because we don't want Domain Users to have access to the Finance folder at all, line two breaks and clears the permissions inheritance once again. It then applies the Full Control permission to File Admins and the Read permission to Finance Users.
With lines three and four, we don't want to break the permissions inheritance because both the File Admins and the Finance Users groups should have the same access to these subfolders. In these two lines, we are simply granting an extra (M) permission—in addition to the existing inherited permissions—so that the Budget Users and Metrics Users can write to these folders (M=Modify permission which equals Full Control minus the ability to change permissions).

[...]

Visualizing Existing Permissions

(from https://technet.microsoft.com/en-us/library/2009.07.geekofalltrades.aspx)

AccessEnum is a very simple application that helps you visualize the permissions assigned to a specific folder structure. Specifically, when you target AccessEnum to a top-level folder in a folder tree, the tool scans the files and folders beneath and reports back where permissions are different from the parent.

Assigning ownership to another user

In recent Windows versions, you can also use icacls /setowner to directly assign ownership to another user: 
icacls C:\foo /setowner "DOMAIN\user" /t /l # you may wish to add /q to suppress messages about success on all files/dirs

Taking ownership for yourself or for the local admin group

You can user takeown but first read this section and the caution.

if you're user foouser and open cmd as admin and run takeown the new owner will be either the local administrators group (if you add the /a option) or foouser (if you don't). I will repeat for clarity:
  • With /a the owner will be the local administrators group.
  • Without /a the owner will be foouser.

CAUTION: Be carefull with /D y

All over the web you will be prompted to add the option /R /D y to run takeown recursively. But if there are subfolders where the administrator does not have list permissions the /D y option will result in removing all existing access rights before changing the owner. To avoid loosing any such permissions you can run it without /D y and then manualy add the LIST permission to the yourself for folders where you get errors. See this serverfault answer and also see PowerShellScripts for a good solution.

Examples 

# for files
takeown /f "C:\file"    # make the user account that opened this terminal the owner
takeown /f "C:\file" /a # make the local admin group the owner
# similary for directories and all their subdirectories
takeown /f "C:\directory" /r     # make the user account that opened this terminal the owner
takeown /f "C:\directory" /a /r  # make the local admin group the owner
Edit  | Attach | Print version | History: r19 < r18 < r17 < r16 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r19 - 21 Feb 2023, NickDemou
Copyright © enLogic