As an administrative tool, Icacls is a double-edged sword. On one hand, its command-line interface is a ridiculously-powerful Swiss army knife for configuring permissions. With it, you can accomplish virtually every permissioning task you'll ever come across during your IT career.
But in order to become that "everything-for-everyone" solution, Icacls has evolved over time into a ridiculously complicated tool as well. As you learned in my last article on
- Top tools for fixing Windows NTFS corruption issues
- Open source distributed file system (DFS) solutions go beyond Windows
- The anatomy of a Distributed File System namespace
That's why the last article focused on a set of exceptionally simple uses, which you'll find yourself needing for the vast majority of permissioning activities.
Recall, however, that this series is really about creating an "auditable and automated permissions management solution." The keyword here is solution, because what you want in the end is in fact a single batch file. Inside that batch file is every permission you want to configure for the folder structure, one folder per line.
With such a batch file, setting every permission in the tree would be accomplished by simply… running the batch file. The same holds true for fixing permissions. Finally, and most importantly, running your batch file as a daily (or better) scheduled task would automatically ensure the correctness of each permission every evening.
Sound too good to be true? It's not, but it does take just a little bit of front-end work.
Job #1: Excel
The first job is to sketch out your folder structure. Microsoft Excel is a handy tool for accomplishing this. Start by entering into your Excel spreadsheet the "major" folders in your structure. These major folders are the ones where the permissions structure changes as a user traverses down. For each folder, include the permissions you want each folder to contain. Remember here that every permission you set will always be inherited by folders below it.
Icacls has a mechanism to visualize these permissions. You can get a report on every single file and folder at and below C:\Public by using this syntax:
icacls C:\Public /T
Personally, I hate this report. Sure it's comprehensive -- in fact it's too comprehensive. You won't be changing permissions for every folder below C:\Public; the vast majority get their permissions by simply inheriting them from the folder above. It is for this reason that I tend not to use the command above to create this Excel spreadsheet, electing instead to create the spreadsheet on my own.
If your structure is too complicated to accomplish this task unaided, consider downloading the Microsoft Sysinternals tool AccessEnum. This free tool will help you better visualize your permissions in a complex structure. I use it to help me identify where subfolders are different than folders above.
This Excel spreadsheet creation process will take some time, but recognize that in its creation, you are at the same time creating the structure for your eventual batch file. The information you populate into this spreadsheet -- folder paths, folder permissions and permissions inheritance -- is exactly the information Icacls will require. Let me just repeat this one statement, as it's exceptionally important to remember here: Only enter folders into this spreadsheet where a permissions change needs to occur as the user traverses down the tree. The rules of inheritance will take care of every other folder for you.
Job #2: Icacls
Once you've completed that spreadsheet, creating your solution requires only two Icacls command structures. The first directly configures a permission on a folder. You'll use this permission at the top level of your structure. Its syntax looks like this:
icacls C:\Public\ /grant:r "Domain Users":(OI)(CI)M
This syntax directly configures the modify permission onto the C:\Public folder for the Domain Users group, replacing any existing access control lists (ACL). At the same time, it configures all folders below this one to inherit their permissions from this level.
For folders below the top level, you'll use this second syntax:
icacls C:\Public\Private /inheritance:r /grant:r "Finance Users":(OI)(CI)M
Recall that what we're creating with this solution is a batch file that will be run all at once. This means that once the top-level permissions are set, every change below that top level will occur through breaking that folder's inheritance, configuring a new permission, and then turning inheritance back on for folders below. This three-step process ensures that the rules of inheritance are always followed throughout the tree. Its command syntax accomplishes all three of these tasks in a single command line.
That's it! These two commands are all you need to create that automated solution. For situations where you need to configure multiple users or groups (with or without different permissions) on the same folder, use this variant of the second syntax:
icacls C:\Public\Private /inheritance:r /grant:r "Finance Users":(OI)(CI)M "Accounting Users":(OI)(CI)R "IT Admins":(OI)(CI)F
Once you have your batch file created, copy it over to a Scheduled Tasks server somewhere and configure it to run on a schedule of your choosing. Because it accomplishes everything at each execution, re-running this batch file over and over merely ensures that your file structure always matches your script structure.
One important point to make in regards to this script is that obviously, folder structures evolve over time. You'll need to add folders or change permissions on other folders. When those requests arise, make sure to update your solution. Otherwise, the next time it runs you'll find that your permissions have been overwritten by its script.
A four-folder example
It's easiest to visualize how your batch file will look through an example. In this example, let's assume your folder structure starts at the top level with C:\Public. Below that folder are two subfolders, C:\Public\Marketing and C:\Public\Finance. Domain Users should have read access to all the information in these three folders, while the Marketing and Finance groups should have write access.
Also in this structure is a fourth folder with sensitive information, c:\Public\Finance\Sensitive. Only the Finance group should have write access to this folder. No other group should have access.
Creating this structure via a batch file requires four lines:
icacls C:\Public\ /grant:r "Domain Users":(OI)(CI)R
icacls C:\Public\Marketing /inheritance:r /grant:r "Domain Users":(OI)(CI)R "Marketing Users":(OI)(CI)M
icacls C:\Public\Finance /inheritance:r /grant:r "Domain Users":(OI)(CI)R "Finance Users":(OI)(CI)M
icacls C:\Public\Finance\Sensitive /inheritance:r /grant:r "Finance Users":(OI)(CI)M "Executive Users":(OI)(CI)M
There you have it -- four lines and your folders are ready to go.
Always remember that inheritance can be your friend. With a folder structure such as this, Finance and Marketing users can create their own subfolders at will with the assurance that those folders will have the same protections as the folders above.
ABOUT THE AUTHOR: Greg Shields, Microsoft MVP, is a partner and principal technologist with Concentrated Technology. An IT industry analyst, author, speaker and trainer, you can find Greg at ConcentratedTech.com.
This was first published in August 2010