NTFS Permissions - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » NTFS Permissions

Page 1 of 1

1

Topic Options

#154207 - 2005-12-29 12:14 AM NTFS Permissions
daniel1982 daniel1982 Getting the hang of it Registered: 2005-03-23 Posts: 77 Loc: Sydney, Australia	Hello, I'm using cacls to change permissions on some files, however it's not giving me the outcome I want. I realise this is not really a Kix problem, but just wondering if anyone has any ideas... Basically the situation is that I have an ini file which I want users and administrators of the local pc to be able to read (actually the application running as the user account), but not to be able to modify the contents, delete, move or change the filename. The only users who should have access to this is the applications admin group in AD. By giving the AD admins group FC, and the local users group Read and execute access, I have been able to achieve this. The problem lies with the local administrators group. I haven't been able to find the correct permissions to deny them modify permissions, without explicity denying both the local users and local admins full control, but then they cannot open the file either. I realise that local admins would be able to change the permissions back to modify themselves, but we are hoping to play on most users ignorance of NTFS permissions. Any help would be appreciated.
Top

#154208 - 2005-12-29 12:24 AM Re: NTFS Permissions
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Have you looked at SubInACL? I think it has more to offer than CACLS. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154209 - 2005-12-29 12:29 AM Re: NTFS Permissions
daniel1982 daniel1982 Getting the hang of it Registered: 2005-03-23 Posts: 77 Loc: Sydney, Australia	Hi Les, I'm not sure if it's an issues with CACLS or not, I've tried manually modifying the permissions to what I want, but I haven't been able to get the permissions I need... What i'm saying is, I need help defining >what< the permissions should be, not deploying them onto the file.
Top

#154210 - 2005-12-29 01:04 AM Re: NTFS Permissions
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Nope it's not an issue with CACLS or FILEACLS or SunInACL They all would treat the file the same way. I'll give you and others a few minutes to see who comes back with the right answer. If you check I bet you can't set it to really what you want even via the GUI. I'll be back later to explain why.
Top

#154211 - 2005-12-29 01:15 AM Re: NTFS Permissions
daniel1982 daniel1982 Getting the hang of it Registered: 2005-03-23 Posts: 77 Loc: Sydney, Australia	hmmm...So NTDOC, there's no way to deny administrators modify rights whilst also being able to read the file?
Top

#154212 - 2005-12-29 01:20 AM Re: NTFS Permissions
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Yes there is. Give me a few minutes and I'll be back and give you an answer
Top

#154213 - 2005-12-29 01:27 AM Re: NTFS Permissions
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	hmm... can't you just deny writing? doesn't that effectively deny any modification? _________________________ ! download KiXnet
Top

#154214 - 2005-12-29 01:29 AM Re: NTFS Permissions
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Doesn't stop them from RENAMING the file or DELETING the file Jooel.
Top

#154215 - 2005-12-29 01:31 AM Re: NTFS Permissions
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Daniel, Hint... what about the Parent?
Top

#154216 - 2005-12-29 01:36 AM Re: NTFS Permissions
daniel1982 daniel1982 Getting the hang of it Registered: 2005-03-23 Posts: 77 Loc: Sydney, Australia	NTDoc, do you mean not having permissions inherited from the parent? I've unchecked the box in the GUI and administrators can still rename/delete the file...
Top

#154217 - 2005-12-29 01:38 AM Re: NTFS Permissions
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Nope... Basically my guess is that the folder permissions are taking over which allow the Admin to still have FULL rights to files/folders below. So even though you set a specific permission to a file it's ignored unless it is a DENY ACL which takes precedence You need to modify the FOLDER permissions so that the Admin and Users only have READ-ONLY and Execute on that folder.
Top

#154218 - 2005-12-29 01:45 AM Re: NTFS Permissions
daniel1982 daniel1982 Getting the hang of it Registered: 2005-03-23 Posts: 77 Loc: Sydney, Australia	That's got it! Thanks Doc!
Top

#154219 - 2005-12-29 02:00 AM Re: NTFS Permissions
daniel1982 daniel1982 Getting the hang of it Registered: 2005-03-23 Posts: 77 Loc: Sydney, Australia	I've done some tests, and it pretty much works, the only problem I've found is that admin users can delete the file (although they cannot recreate another one in the directory). Because they can't write to the directory, it means they can't update the ini file, but it would be good to disallow them to delete as well... Is there a simple way to do this?
Top

#154220 - 2005-12-29 02:09 AM Re: NTFS Permissions
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Well you must still set ACL on the file, not just the folder. C:\TEMP (set the folder perms) ACL=Administrators - READ ONLY ACL=Domain Users - READ ONLY C:\TEMP\TEST.INI ACL=Domain Users - READ ONLY Then log off to reset the Administrator Token for your testing. You should no longer be able to do anything except read that file.
Top

#154221 - 2005-12-29 02:25 AM Re: NTFS Permissions
daniel1982 daniel1982 Getting the hang of it Registered: 2005-03-23 Posts: 77 Loc: Sydney, Australia	You mean: C:\TEMP\TEST.INI ACL=Administrators - READ ONLY ACL=Domain Users - READ ONLY ACL=AD Admin - FULL CONTROL for the ini file? I'm a little confused; Shouldn't the permissions changed on the parent be automatically propogated to the child?
Top

#154222 - 2005-12-29 02:33 AM Re: NTFS Permissions
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Wherever you have this folder Remove inheritance on the folder. SET ACL on the folder as shown, if you want only Active Directory admins to be able to change it then give them Modify or FULL on the folder and the file. No, you don't want propigation, you want to specifically set it on FOLDER and FILE. Then only AD Admins should be able to change the file.
Top

#154223 - 2005-12-29 02:48 AM Re: NTFS Permissions
daniel1982 daniel1982 Getting the hang of it Registered: 2005-03-23 Posts: 77 Loc: Sydney, Australia	OK, it seems to be working, if I uncheck inheritance from the folder (C:\Temp in your example). I didn't have to uncheck anything or manually change perms on the files (?). Can you use Cacls to uncheck the inheritance box? I'm looking at the help page, not sure if i can use something like CI, OI or IO?
Top

#154224 - 2005-12-29 02:52 AM Re: NTFS Permissions
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Quote: Can you use Cacls to uncheck the inheritance box? Don't recall off the top of my head, but I would think one of those utilities would allow you to.
Top

#154225 - 2005-12-29 02:55 AM Re: NTFS Permissions
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Going from memory here. Haven't done command line ACL for a few years now. Once the permissions are set correctly by groups - typically don't need much change that would require me to do it via command line. I don't think CACLS allows it though as I recall, not sure about one of the other utils.
Top

#154226 - 2005-12-29 03:34 AM Re: NTFS Permissions
daniel1982 daniel1982 Getting the hang of it Registered: 2005-03-23 Posts: 77 Loc: Sydney, Australia	Yes I don't think Cacls let you do it, however Xcacls.vbs from Microsoft allows you to select/deselect the checkbox. Thanks for all of your help!
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 764 anonymous users online.

Newest Members

ManuvdWielNL, Sir_Barrington, batdk82, StuTheCoder, M_Moore
17887 Registered Users

Generated in 0.203 seconds in which 0.074 seconds were spent on a total of 12 queries. Zlib compression enabled.

click tracking