Tech Line
Cacls Catastrophe
Enabling permissions inheritance after cacls takes it away.
Yesterday I made a pretty big mistake at work and am hoping to learn from it. We were installing a new user file monitoring app that required its own user account. I created the new account and didn't want to just join it to the Domain Admins group. So I decided to use the cacls.exe command to give the new account access to the user folders that it would be monitoring. We have a back-up share and have manually created a subfolder for each user. Anything a user saves on his back-up share is backed up nightly.
Instead of adding the account to the ACLs, cacls replaced the ACLs with the new account. It also disabled inheritance. At this point, I decided to use our back-up software (CommVault Galaxy) to restore the folder ACLs. That got me back to square one. After that disaster, I realized that all I really needed to do was to add the account to the ACL of the parent back-up folder and be done with it; inheritance would have taken care of the rest. I also figured out that with cacls, I needed to use the /e switch, so that the command would not replace the current folder ACLs.
While I'm more comfortable with cacls now, I'm still at a loss for how to enable permissions inheritance on 800 folders inside a single directory, where each folder has permissions inheritance disabled. I know I can do this using Windows Explorer, but I think that there has to be a better way. Is there a script or another tool that you can recommend?
— Jared
Tech Help—Just An
E-Mail Away |
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
cap.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
|
|
|
After talking with Jared, I learned that he used this cacls command:
cacls * /t /g monitoruser:r
Jared ran it from inside the back-up folder and used the * to specify all content within the folder. While the easiest way to add the new user to all folder ACLs would have been to just add the user to the parent "Backup" folder, he could have saved himself by using the /e switch with the command.
I also learned that Jared ran the command on a Saturday morning, so he was able to make the mistake and recover without having to tell anyone about it. It's always nice to get away with one once in awhile as a network administrator.
Now for enabling permissions inheritance on folders, Jared’s right in his observations of the limitations of cacls. However, there are some easy ways to bring inheritance back. The easiest way to reset the Inheritance flag to enable inheritance is by using the script xcacls.vbs. Once you download this script, you can use it to enable inheritance on any folder and range of subfolders. For Jared’s case, this would be the required syntax (assuming xcacls.vbs was copied to the C:\Windows folder and the command was run from inside his back-up folder):
cscript c:\windows\xcacls.vbs * /s /t /i ENABLE
In the command, the /s switch tells the command to also modify all subfolders. The /t switch causes the command to traverse all subfolders as well (thus changing any lower level directories). The /i switch tells the command to set the inheritance flag, followed by "Enable," which enables inheritance.
Take a good look at xcacls.vbs, as it’s an excellent permissions management tool. As you will see, it’s much more powerful than cacls or the xcacls.exe support tool. Another popular tool for ACL management is SetACL, which is available on sourceforge.net.