Setting Deny Permissions with ICACLS on "This Folder"
For anyone else who finds this 6.5 year old post, this is what fixed things for me - https://devblogs.microsoft.com/oldnewthing/20191118-00/?p=103110 - using OP's original command, you would use ICACLS "{PATH}" /DENY "{AD Group}:(DE)" - simply add DE instead of D, which as the article points out, has a bug or glitch in it where it removes synchronize as well as delete. Annoying, but an easy fix.
Related videos on Youtube
Ganske
Updated on September 18, 2022Comments
-
Ganske over 1 year
ICACLS "{PATH}" /DENY "{AD Group}:(D)"
I want to deny the ability for {AD Group} to delete the parent folder but still have permissions to delete child folder and files. However, when I set the DENY Delete on the parent, it prevents Traverse Folder access to the folder.
I read that this is a synchronize error but if I set (D,S) I can traverse the folder but I can also delete it.
Currently ACL_FILE_IST is the only permission on the folder.
Has anyone seen a workaround?
ICACL COMMANDS
- ICACLS "C:\TEMP\TestPermissions" /GRANT "ACL_FILE_IST:(OI)(CI)(M)"
- ICACLS "C:\TEMP\TestPermissions" /DENY "ACL_FILE_IST:(D)"
ICACLS ACL
testpermissions
D:PAI(D;;0x110000;;;S-1-5-21-964777865-1556211951-2005962405-8309)(A;OICI;0x1301bf;;;S-1-5-21-964777865-1556211951-2005962405-8309)
-
Ganske about 10 yearsUnfortunately not. I'm still locked out of the folder.
-
Ben Lavender about 10 yearsWell arn't you supposed to make sure at least someone in the DACL has access?
-
Ganske about 10 yearsIm not trying to lock myself out. I want to lock the folder down for other users so Im trying to get it right using a dummy account but its not working.
-
Ben Lavender about 10 yearsCan you paste the acl here please?
-
Ganske about 10 yearsIve added it to the original post. Any insight would be appreciated Ben. Thanks!