1

I am using the following code:

icacls C:\testscott\ /grant:r "TestGroup":(NP)F

However, the existing permissions in the directory C:\testscott\ are still there. I thought using the /grant:r option meant it would overwrite the existing permissions?

Scott
  • 86
  • 1
  • 12
  • 1
    You're adding an ACE that should [r]eplace an existing ACE for "TestGroup", but not removing inherited rights. I don't know how to combine operations with icacls. I'd use 3 passes. Copy inherited ACLs and disable inheritance: `icacls C:\testscott /inheritance:d`. Remove any ACEs for "TestGroup": `icacls C:\testscott /remove "TestGroup"`. Add the desired ACE: `icacls C:\testscott\ /grant "TestGroup":(NP)F`. – Eryk Sun Mar 16 '15 at 14:18
  • Note that even that won't remove existing explicit permissions for *other* users and groups. To do that you need the `/reset` option, or use `cacls`. – Harry Johnston Mar 16 '15 at 20:53

1 Answers1

2

To replace all permissions on a directory with newly assigned ones:

icacls c:\test /reset
icacls c:\test /inheritance:r /grant Administrators:(OI)(CI)(F)
Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • I didn't know whether Scott was looking to replace inherited permissions for only TestGroup with an explicit ACE or to replace all inherited permissions. I assumed the former, and I wasn't able to do it in fewer than 3 passes. I was surprised that `grant:r` didn't work after copying via `inheritance:d`. Either way, I voted to close this question as off topic. It belongs on superuser.com. – Eryk Sun Mar 16 '15 at 22:10
  • Apparently on the 2nd pass, even though `grant:r` doesn't work I can combine `/remove TestGroup` and `/grant TestGroup` in one operation. But that looks like undefined behavior to me, or at least poorly defined behavior. – Eryk Sun Mar 16 '15 at 22:30
  • @eryksun: not off-topic in my opinion because `icacls` is how you change permissions in batch files. (And it is predominantly used in programming, because most people use the GUI for interactive permissions changes rather than the command line.) – Harry Johnston Mar 16 '15 at 22:49
  • It looks like a system administration question to me. For sure, shell scripting for administrative tasks is a grey area, but to me this falls closer to superuser's domain, such as [this question](http://superuser.com/q/87028). – Eryk Sun Mar 16 '15 at 23:21
  • 1
    @eryksun: that would make all batch questions either off-topic or ill-conceived, wouldn't it? :-) The Windows batch processor is designed for administrative tasks, not for general-purpose programming. Now, I'd personally have a certain amount of sympathy for the proposition that batch programming should be automatically off-topic here, but precedent says otherwise. :-) – Harry Johnston Mar 16 '15 at 23:48
  • I don't think batch programming is generally off topic (indeed it's such a weird and limited language that people need all the help they can get). Certainly a script that programmatically administers a computer is a program all the same. But this question is more about using the icacls tool, not about batch programming. – Eryk Sun Mar 16 '15 at 23:58
  • 1
    @eryksun: yeah, but the icacls tool is a "software tool used primarily by programmers" - if you accept that writing batch scripts is programming. Everybody *else* just uses the GUI. (Well, almost everybody.) – Harry Johnston Mar 16 '15 at 23:59
  • (And in particular if you posted such a question to Super User or Server Fault you're likely to get answers that say "don't do that, just use the GUI".) – Harry Johnston Mar 17 '15 at 00:03
  • Command-line programs may be cryptic and difficult for the average Windows user, but that doesn't automatically make using them a kind of programming. Using them involves no variables, no logic/branching, no iteration/recursion, no algorithms. You just set some 'switches' and press the 'on button' (enter). – Eryk Sun Mar 17 '15 at 00:14
  • 1
    @eryksun: no, using icacls on the command line is not programming. But (a) the OP is using it in a batch script, which *is* programming; and (b) that's (probably, and IMO) the most common use case. (And for the windows tag, at least, I think the established precedent is that using command-line utilities in batch files is considered on-topic. That's based solely on my unreliable memory of prior questions, of course.) – Harry Johnston Mar 17 '15 at 01:27