Re: XCACLS utility help

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/29/05

• Next message: Michael Sainz: "Computer Certificates"
• Previous message: BC: "Re: Adding DSL Router to existing Win2K Server and 3 clients"
• In reply to: Mark B: "XCACLS utility help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Jan 2005 22:41:28 -0700

xcacls.exe does not have that granularity available for deny
You could download xcacls.vbs which does allow for finer
control of special access ACEs, including denies, and will
do what you are attempting.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bda&DisplayLang=en

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Mark B" <mark@mosaiccomputers.com.au> wrote in message
news:%23utBEDaBFHA.2076@TK2MSFTNGP15.phx.gbl...
> Hi all,
>
> I work in a school environment, and have taken over administration of the
> school's servers. I have just created over 1000 users and their
assosciated
> home folders.
>
> I need to prevent users from deleting their own home folder
(H:\<username>).
> By default, when the folder is created, the user has this right.
>
> Using XCACLS on a 2003 Server, what is the command to do this? I can ALLOW
> each user the "special access" to DELETE the folder, but am unsure of the
> switch to DENY the right. This is what I need to achieve:-
>
> Denying the users the right to delete their home folder (but not
> sub-folders), and
> removing the "allow inheritable permissions" on the folder.
>
> If I set the permissions using the GUI, and then run XCACLS, this is what
is
> reported:-
>
> Processed directory FRED
>
> D:\Users\FRED MyServer\FRED:(DENY)(special access:)
>                                                     DELETE
>
>                          Builtin\Administrators:(OI)(CI)F
>                         MyServer\Fred:(OI)(CI)F
>
> I cannot seem to replicate that "DENY" part of the special access! What is
> the switch?!?!?
>
> Many thanks,
>
> Mark
>
>

• Next message: Michael Sainz: "Computer Certificates"
• Previous message: BC: "Re: Adding DSL Router to existing Win2K Server and 3 clients"
• In reply to: Mark B: "XCACLS utility help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages XCACLS utility help ... school's servers. ... I need to prevent users from deleting their own home folder. ... removing the "allow inheritable permissions" on the folder. ... I cannot seem to replicate that "DENY" part of the special access! ... (microsoft.public.windows.server.security) RE: XCACLS.VBS ... Subinacl is a great tool to use to grant or deny users permissions to a ... >I need to set explicit deny special access permissions ... >to GRANT special access, the VBS allows you to DENY it. ... (microsoft.public.win2000.security) Re: XCACLS.VBS ... for deny permissions. ... --- Steve ... > to GRANT special access, the VBS allows you to DENY it. ... (microsoft.public.win2000.security) Re: Server Container disappears - Please help I am stranded ... Okay, I was able to get the Distinguished name and run the command. ... There is NO DENY lines at all. ... There is some special access lines, ... (microsoft.public.exchange.admin)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint