icacls for a local group of a remote machine

Question

I'm trying to use icacls to adjust permissions on a remote folder, when the grantee is the local group of the remote server. From machine Foo, I'm trying to grant modify rights for group Bar\Users to a folder on machine Bar. Executing it all on Bar is not really an option.

When I do

icacls \\bar\Share\Path /grant bar\Users:M

I get the following error:

bar\Users: No mapping between account names and security IDs was done. Successfully processed 0 files; Failed processing 1 files

If I quote the group name, like this:

icacls \\bar\Share\Path /grant bar\"Users":M

I get a different message:

bar"Users: The trust relationship between the primary domain and the trusted domain failed. Successfully processed 0 files; Failed processing 1 files

Any ideas, please? The account I'm doing it under has admin rights on both foo and bar. Both foo and bar are Windows Server 2008 machines on the same domain, neither is a domain controller.

Answer 1

If you really are trying to grant access for the Users group, then just drop the "bar\" and grant it to Users. Internally, it will convert to the SID locally on foo and then grant access to that SID. The Users group is a "Common Account" where the SID is the same everywhere.

Update: From the comments below, this will work if the above does not:

icacls \bar\Share\Path /grant *S-1-5-32-545:M

Change will be visible as a Special Permissions in Advanced security properties.