Microsoft Operating System Forum

btsystems

Hi,

Ive changed my permissions on a drive. (I:\) The permissions for my
current user are all set to deny. I would like to override these
permissions, however i only want to do this via command line or a batch
file.

If anyone could let me know how this can be done, or if it can be done
at all please let me know.

Mvh

BT.


--
btsystems

Mark H

At an elevated command prompt:
ICACLS /?

ICACLS name /save aclfile [/T] [/C]
store the acls for all matching names into aclfile for
later use with /restore.

ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile [/C]
applies the stored acls to files in directory.

ICACLS name /setowner user [/T] [/C]
changes the owner of all matching names.

ICACLS name /findsid Sid [/T] [/C]
finds all matching names that contain an ACL
explicitly mentioning Sid.

ICACLS name /verify [/T] [/C]
finds all files whose ACL is not in canonical form or whose
lengths are inconsistent with ACE counts.

ICACLS name /resize [/T] [/C] [/L]
changes incorrect recorded lengths of ACLs to true lengths.

ICACLS name /reset [/T] [/C]
replaces acls with default inherited acls for all matching files.

ICACLS name [/grant[:r] Siderm[...]]
[/deny Siderm [...]]
[/remove[:g|:d]] Sid[...]] [/T] [/C]

/grant[:r] Siderm grants the specified user access rights. With :r,
the permissions replace any previously granted explicit permissions.
Without :r, the permissions are added to any previously granted
explicit permissions.

/deny Siderm explicitly denies the specified user access rights.
An explicit deny ACE is added for the stated permissions and
the same permissions in any explicit grant are removed.

/remove[:[g|d]] Sid removes all occurrences of Sid in the acl. With
:g, it removes all occurrences of granted rights to that Sid. With
:d, it removes all occurrences of denied rights to that Sid.


Note:
Sids may be in either numeric or friendly name form. If a numeric
form is given, affix a * to the start of the SID.

/T indicates that this operation is performed on all matching
files/directories below the directories specified in the name.

/C indicates that this operation will continue on all file errors.
Error messages will still be displayed.

ICACLS preserves the canonical ordering of ACE entries:
Explicit denials
Explicit grants
Inherited denials
Inherited grants

perm is a permission mask and can be specified in one of two forms:
a sequence of simple rights:
F - full access
M - modify access
RX - read and execute access
R - read-only access
W - write-only access
a comma-separated list in parentheses of specific rights:
D - delete
RC - read control
WDAC - write DAC
WO - write owner
S - synchronize
AS - access system security
MA - maximum allowed
GR - generic read
GW - generic write
GE - generic execute
GA - generic all
RD - read data/list directory
WD - write data/add file
AD - append data/add subdirectory
REA - read extended attributes
WEA - write extended attributes
X - execute/traverse
DC - delete child
RA - read attributes
WA - write attributes
inheritance rights may precede either form and are applied
only to directories:
(OI) - object inherit
(CI) - container inherit
(IO) - inherit only
(NP) - don't propagate inherit

Examples:

icacls c:\windows\* /save AclFile /T
- Will save the ACLs for all files under c:\windows
and its subdirectories to AclFile.

icacls c:\windows\ /restore AclFile
- Will restore the Acls for every file within
AclFile that exists in c:\windows and its subdirectories

icacls file /grant AdministratorD,WDAC)
- Will grant the user Administrator Delete and Write DAC
permissions to file

icacls file /grant *S-1-1-0D,WDAC)
- Will grant the user defined by sid S-1-1-0 Delete and
Write DAC permissions to file

"btsystems" <guest@unknown-email.com> wrote in message
news:c19009c121a560d9c075bc3e63921c75@nntp-gateway.com...
>
> Hi,
>
> Ive changed my permissions on a drive. (I:\) The permissions for my
> current user are all set to deny. I would like to override these
> permissions, however i only want to do this via command line or a batch
> file.
>
> If anyone could let me know how this can be done, or if it can be done
> at all please let me know.
>
> Mvh
>
> BT.
>
>
> --
> btsystems

sparkinark

If by Sid you are referring to some sort of session ID for whatever
username I'm logged in as, I got that part. How would I go about
finding out my Sid, though?

Also, I was a Netware and *early* Windows NT/2000 systems admin for a
medium-sized company and have played around a bit with the later XP
server administrative section, and all were (if not GUI, which I don't
mind), easy to understand and if you understood the canonical form, not
hard to implement. I was taught to always do everything by groups, such
that a group was made for even a temp access by one user. That way you
could copy the group if as a template if you needed to provide access
for others in such a same way.

In any event, why on earth, when this is just one computer sitting on
my desk with no network and no one but myself to do anything on God's
green earth I want to it, does MS put in all this "rights" crap and not
let me at least be "admin" on the computer, if not the domain (a domain
of 1 here), or let me see it like Unix/Novell as a cmd line item that I
can change as *root*? Where the #@# is my "I'm not on a network, I
don't have a network, I don't give a rat's butt about rights, just make
me root and shut the @#@#$ up" button?. I paid for the software, the
computer and if it breaks or gets a cold, you can say you warned me or
something, but so far I still get viruses, rootkits, malware, etc. and
*also* have to put up with user rights and inheritance, etc, on one
single little bitty computer with no way to understandably force
propogage down rights.

Keep the system files safe and deny access - ok, I'll go along with
that, if you can assure me that by keeping me out I'll never have to do
an "sfc" and read a 10mb test logfile again. I'm apparently not the one
screwing up my system from time to time, so cutting me out is just
cutting out the only one who can fix things.

If, by chance, someone finds a way to override all this b*s for
non-wireless home or SOHO's without a dedicated server domain, or even
more to the point, the chap like myself who might eventually run Win
2000 (MS's most stable server) on an old pc as a file and print server
and maybe run an HTPC off that same 4-port hub (with a port to spare)
and is the *ONLY* user on the machine, I'll pay them another $400 or so
*per machine license* to shut this crap off and let me have control over
my own damn machine.

(Sorry, had to get that off my chest... expletives were actually held
back and only used where I thought a definitive point had to be
punctuated accordingly)

Isn't that why we have XP Home and XP Enterprise (or Professional, or
whatever they call it today)?

Gads...

So, go over it 100 times again so I'll understand... I want to move a
directory and cannot due to this ... stuff ... How do I overrride the
files *and* directories ACL's and mass de-inherit them? Or do I need to
go to secpol and take away all rights of all other groups, including
SYSTEM (which I know you won't let me do)?

I think I'm going to load Ubuntu up and just do it from there. Linux
is hard for me to understand but at least I can get it to work if I read
the (man) files for a few weeks.

Might also dig out my Win 2000 disk and see how much I've lost and what
I'll lost by (ostensibly) downgrading.

Someone please kick someone's butt way up in the "I'm a billionaire MS
manager" club.

Shawn Harvey (not afraid to post his name)
sparkinark@yahoo.com


--
sparkinark

FromTheRafters

Activate the real Administrator account and use that. It doesn't
have any UAC features.

"sparkinark" <guest@unknown-email.com> wrote in message
news:01ad803236f06d79df8a14969b12d55d@nntp-gateway.com...
>
> If by Sid you are referring to some sort of session ID for whatever
> username I'm logged in as, I got that part. How would I go about
> finding out my Sid, though?
>
> Also, I was a Netware and *early* Windows NT/2000 systems admin for a
> medium-sized company and have played around a bit with the later XP
> server administrative section, and all were (if not GUI, which I don't
> mind), easy to understand and if you understood the canonical form, not
> hard to implement. I was taught to always do everything by groups, such
> that a group was made for even a temp access by one user. That way you
> could copy the group if as a template if you needed to provide access
> for others in such a same way.
>
> In any event, why on earth, when this is just one computer sitting on
> my desk with no network and no one but myself to do anything on God's
> green earth I want to it, does MS put in all this "rights" crap and not
> let me at least be "admin" on the computer, if not the domain (a domain
> of 1 here), or let me see it like Unix/Novell as a cmd line item that I
> can change as *root*? Where the #@# is my "I'm not on a network, I
> don't have a network, I don't give a rat's butt about rights, just make
> me root and shut the @#@#$ up" button?. I paid for the software, the
> computer and if it breaks or gets a cold, you can say you warned me or
> something, but so far I still get viruses, rootkits, malware, etc. and
> *also* have to put up with user rights and inheritance, etc, on one
> single little bitty computer with no way to understandably force
> propogage down rights.
>
> Keep the system files safe and deny access - ok, I'll go along with
> that, if you can assure me that by keeping me out I'll never have to do
> an "sfc" and read a 10mb test logfile again. I'm apparently not the one
> screwing up my system from time to time, so cutting me out is just
> cutting out the only one who can fix things.
>
> If, by chance, someone finds a way to override all this b*s for
> non-wireless home or SOHO's without a dedicated server domain, or even
> more to the point, the chap like myself who might eventually run Win
> 2000 (MS's most stable server) on an old pc as a file and print server
> and maybe run an HTPC off that same 4-port hub (with a port to spare)
> and is the *ONLY* user on the machine, I'll pay them another $400 or so
> *per machine license* to shut this crap off and let me have control over
> my own damn machine.
>
> (Sorry, had to get that off my chest... expletives were actually held
> back and only used where I thought a definitive point had to be
> punctuated accordingly)
>
> Isn't that why we have XP Home and XP Enterprise (or Professional, or
> whatever they call it today)?
>
> Gads...
>
> So, go over it 100 times again so I'll understand... I want to move a
> directory and cannot due to this ... stuff ... How do I overrride the
> files *and* directories ACL's and mass de-inherit them? Or do I need to
> go to secpol and take away all rights of all other groups, including
> SYSTEM (which I know you won't let me do)?
>
> I think I'm going to load Ubuntu up and just do it from there. Linux
> is hard for me to understand but at least I can get it to work if I read
> the (man) files for a few weeks.
>
> Might also dig out my Win 2000 disk and see how much I've lost and what
> I'll lost by (ostensibly) downgrading.
>
> Someone please kick someone's butt way up in the "I'm a billionaire MS
> manager" club.
>
> Shawn Harvey (not afraid to post his name)
> sparkinark@yahoo.com
>
>
> --
> sparkinark

Sam Hobbs

What is this thing called, SID?
http://blogs.msdn.com/larryosterman/...01/224051.aspx

Security Identifiers
http://msdn.microsoft.com/en-us/library/aa379571.aspx

2.4.2 SID
http://msdn.microsoft.com/en-us/libr...(PROT.10).aspx

SID Strings
http://msdn.microsoft.com/en-us/library/aa379602.aspx

SID Structure
http://msdn.microsoft.com/en-us/library/aa379594.aspx

Well-known security identifiers in Windows operating systems
http://support.microsoft.com/default.aspx/kb/243330



"sparkinark" <guest@unknown-email.com> wrote in message
news:01ad803236f06d79df8a14969b12d55d@nntp-gateway.com...
>
> If by Sid you are referring to some sort of session ID for whatever
> username I'm logged in as, I got that part. How would I go about
> finding out my Sid, though?
>
> Also, I was a Netware and *early* Windows NT/2000 systems admin for a
> medium-sized company and have played around a bit with the later XP
> server administrative section, and all were (if not GUI, which I don't
> mind), easy to understand and if you understood the canonical form, not
> hard to implement. I was taught to always do everything by groups, such
> that a group was made for even a temp access by one user. That way you
> could copy the group if as a template if you needed to provide access
> for others in such a same way.
>
> In any event, why on earth, when this is just one computer sitting on
> my desk with no network and no one but myself to do anything on God's
> green earth I want to it, does MS put in all this "rights" crap and not
> let me at least be "admin" on the computer, if not the domain (a domain
> of 1 here), or let me see it like Unix/Novell as a cmd line item that I
> can change as *root*? Where the #@# is my "I'm not on a network, I
> don't have a network, I don't give a rat's butt about rights, just make
> me root and shut the @#@#$ up" button?. I paid for the software, the
> computer and if it breaks or gets a cold, you can say you warned me or
> something, but so far I still get viruses, rootkits, malware, etc. and
> *also* have to put up with user rights and inheritance, etc, on one
> single little bitty computer with no way to understandably force
> propogage down rights.
>
> Keep the system files safe and deny access - ok, I'll go along with
> that, if you can assure me that by keeping me out I'll never have to do
> an "sfc" and read a 10mb test logfile again. I'm apparently not the one
> screwing up my system from time to time, so cutting me out is just
> cutting out the only one who can fix things.
>
> If, by chance, someone finds a way to override all this b*s for
> non-wireless home or SOHO's without a dedicated server domain, or even
> more to the point, the chap like myself who might eventually run Win
> 2000 (MS's most stable server) on an old pc as a file and print server
> and maybe run an HTPC off that same 4-port hub (with a port to spare)
> and is the *ONLY* user on the machine, I'll pay them another $400 or so
> *per machine license* to shut this crap off and let me have control over
> my own damn machine.
>
> (Sorry, had to get that off my chest... expletives were actually held
> back and only used where I thought a definitive point had to be
> punctuated accordingly)
>
> Isn't that why we have XP Home and XP Enterprise (or Professional, or
> whatever they call it today)?
>
> Gads...
>
> So, go over it 100 times again so I'll understand... I want to move a
> directory and cannot due to this ... stuff ... How do I overrride the
> files *and* directories ACL's and mass de-inherit them? Or do I need to
> go to secpol and take away all rights of all other groups, including
> SYSTEM (which I know you won't let me do)?
>
> I think I'm going to load Ubuntu up and just do it from there. Linux
> is hard for me to understand but at least I can get it to work if I read
> the (man) files for a few weeks.
>
> Might also dig out my Win 2000 disk and see how much I've lost and what
> I'll lost by (ostensibly) downgrading.
>
> Someone please kick someone's butt way up in the "I'm a billionaire MS
> manager" club.
>
> Shawn Harvey (not afraid to post his name)
> sparkinark@yahoo.com
>
>
> --
> sparkinark

Sam Hobbs

The following VBScript will show various account information including SID.
I tested it using Vista. It creates a CSV file that you should be able to
import into a database.

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery ("Select * from Win32_UserAccount
Where LocalAccount = True")
Message = """Account
Type"",""Caption"",""Description"",""Disabled"","" Domain"","
Message = Message & """Full Name"",""Local Account"",""Lockout"",""Name"","
Message = Message & """Password Changeable"",""Password Expires"","
Message = Message & """Password Required"",""SID"",""SID Type"",""Status"""
WScript.Echo Message
For Each objItem in colItems
Message = objItem.AccountType & ","
Message = Message & objItem.Caption & ","
Message = Message & """" & objItem.Description & """" & ","
Message = Message & objItem.Disabled & ","
Message = Message & objItem.Domain & ","
Message = Message & """" & objItem.FullName & """" & ","
Message = Message & objItem.LocalAccount & ","
Message = Message & objItem.Lockout & ","
Message = Message & objItem.Name & ","
Message = Message & objItem.PasswordChangeable & ","
Message = Message & objItem.PasswordExpires & ","
Message = Message & objItem.PasswordRequired & ","
Message = Message & objItem.SID & ","
Message = Message & objItem.SIDType & ","
Message = Message & objItem.Status
WScript.Echo Message
Next


"sparkinark" <guest@unknown-email.com> wrote in message
news:01ad803236f06d79df8a14969b12d55d@nntp-gateway.com...
>
> If by Sid you are referring to some sort of session ID for whatever
> username I'm logged in as, I got that part. How would I go about
> finding out my Sid, though?