After cacls, xcacls.vbs, now we have icacls to set file and folder permissions.
Here are some practical examples.
Create a bunch of directories
md d:\apps md d:\profiles md d:\users
Share the directories. Note the offline caching; users are allowed to enable offline caching for their homedirs, other directories are disabled for offline caching.
net share apps=d:\apps /grant:everyone,FULL /CACHE:None net share profiles=d:\profiles /grant:everyone,FULL /CACHE:None net share users=d:\users /grant:everyone,FULL /CACHE:Manual
Now let’s script the ntfs permissions for the apps share:
- “(OI)(CI):F” means Full Control “This Folder, Subfolders and files”
- “(OI)(CI):M” means Modify “This Folder, Subfolders and files”
- “/inheritance:r” means remove all inherited ACL’s from parent
icacls "d:\apps" /grant "domain admins":(OI)(CI)F /inheritance:r icacls "d:\apps" /grant "everyone":(OI)(CI)M /inheritance:r
On the profiles share, only the “domain admins” should be allowed to enter all “Folders, Subfolders and files” (hence the (OI)(CI):F) , everyone else should be able to to ready “this folder only”.
So without an combination of (CI) and/or (OI) it means “this folder only”
icacls "d:\profiles" /grant "domain admins":(OI)(CI)F /inheritance:r icacls "d:\profiles" /grant "everyone":R /inheritance:r
Upon creating a new user, the Domain Admin should manually create a profile folder for the user and add the user with appropriate rights.
The same goes for the users share containing the homedirectories of all users
icacls "d:\users" /grant "domain admins":(OI)(CI)F /inheritance:r icacls "d:\users" /grant "everyone":R /inheritance:r
Now use your own imagination :)