Grant MODIFY on "All Subfolders and Files" with icacls, but only give Read to top level folder
Change the first line of your script to the following to have it apply only to subfolders and files.
icacls.exe $folder /grant "$domain\$user:(OI)(CI)(IO)(M)"
Then apply this to the top folder.
icacls.exe $folder /grant "$domain\$user:(R)"
MDMarra
Updated on September 18, 2022Comments
-
MDMarra over 1 year
One of our Windows servers that has some user folders on it has some pretty screwed up permissions. What I want it for
SYSTEM
andDomain Admins
to have full control of all folders. I want the users to have read only on the top-level folder (which is their home folder) and modify on all subfolders and files. This can easily be accomplished through the GUI, but I can't figure out how to script it.I'm calling icacls from my PowerShell script, because get-acl and set-acl are a major PITA. If I have to use them, I'm not opposed to it, but I imagine that calling icacls will be easier. This is the relevant code that I have to far:
icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)' icacls.exe $folder /grant 'SYSTEM:(OI)(CI)(F)' icacls.exe $folder /grant '$domain\domain admins:(OI)(CI)(F)'
As you can see, I'm giving modify to the user for everthing with
icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)'
. I can't figure out how to make that Modify apply only to subfolders and files while granting read-only to the top level folder.The desired permission structure would look like this (just for clarity):
-Users --M ---Marra (read only to me) ----Documents (Modify) ----Scripts(Modify) ----Etc (Modify)
What is the right icacls syntax for this, or how can I do it natively in PS with set-acl?
-
Admin about 9 yearsIf you can set the desired permissions in the GUI, then just do this manually for one folder, and afterward see how they look like with "icacls $folder".
-
Admin almost 8 yearsYou should make it more clear that $folder refers to $server\Users\M\Marra
-
-
MDMarra about 12 yearsThat's accurate to answer my question, but I need the users to be able to create files and sub-folders. To do that, I needed to use (R,WD,AD) for the top-level.
-
user2248402 almost 8 yearswouldn't the OP want /grant:r to replace any previouly granted explicit permissions? If it's screwed up, don't you want to replace what's there?
-
Harry Johnston almost 5 years@JJS,
/grant:r
probably wouldn't do anything useful in this case, because it only removes permissions that match the specified inheritance flags. I find the/reset
option simpler to use.