Sign in to follow this  
Followers 0
PsaltyDS

Setting a DENY ACE on a file

6 posts in this topic

#1 ·  Posted (edited)

I'm working on an install script that needs to specificaly set the DENY ACE (access control entry) for Write on a file, for a specfic user. The CACLS and XCACLS command line utilities don't seem to be able to do this. It looks like there is a scripted front end from microsoft called XCACLS.VBS that adds this ability, but I would like to do it from inside my AutoIT script, without calling external VBS scripts.

Anybody done an AutoIT function that will do this?

:D

Edit: Fixed typos.

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites



I'm working on an install script that needs to specificaly set the DENY ACE for Write on a file, for a specfice user. The CACLS and XCACLS command line utilities don't seem to be able to do this. It looks like there is a scripted front end from microsoft called XCACLS.VBS that adds this ability, but I would like to do it from inside my AutoIT script, with calling external VBS scripts.

Anybody done an AutoIT function that will do this?

:D

if i remember correctly, there was a command line utility that used to be reccommended alot for permissions, maybe SetACLS ? if you do a search for set permissions on the forum i'm sure you'll find a link to it. i believe it can do what you want...

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

if i remember correctly, there was a command line utility that used to be reccommended alot for permissions, maybe SetACLS ? if you do a search for set permissions on the forum i'm sure you'll find a link to it. i believe it can do what you want...

SetACL actually looks like a very cool project. But I would like to do this without calling on anything that is not already on the Server. The leaves me the file properties GUI, COM or DLL call, CACLS.exe, and XCACLS.exe - at least as far as I can tell.

Just so I can move on, I'm going to script the GUI, but that's my LEAST favorite option (just above doing it manually).

:D

Edit: Changed my changed mind again! :P The more I look at that SetACL.exe utility the more I like it. I'm just going to put it in the install @ScriptDir and call it from there.

:D

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

Edit: Changed my changed mind again! :D The more I look at that SetACL.exe utility the more I like it. I'm just going to put it in the install @ScriptDir and call it from there.

I just used SetACL for a project to add "full" permissions to "everyone" on the %windows%\temporary internet files folder which is a weird folder. Nevertheless, SetACL worked like a charm where XCACLS wouldnt' (couldn't?) do the job...

...by the way, it's pronounced: "JIF"... Bob Berry --- inventor of the GIF format

Share this post


Link to post
Share on other sites

I just used SetACL for a project to add "full" permissions to "everyone" on the %windows%\temporary internet files folder which is a weird folder. Nevertheless, SetACL worked like a charm where XCACLS wouldnt' (couldn't?) do the job...

The command line sytax SetACL is complicated, but that's because it's so powerfull. I needed to take a folder with Authenticated Users set to Modify, and deny just Write to one user. CACLS and XCACLS couldn't handle it, and not only that, they caused an error for ACE entries being out of sequence when they were done! (All deny ACEs are supposed to come before permit ACEs.) The SetACL command came out:

$RetCode = RunWait(@ComSpec ' /c SetACL.exe -on "C:\Folder_X\File_Y.cfg" -ot file -actn ace -ace "t:User_Z;p:Write;m:Deny")

The object name and object type work just as well with files, folders, printers, registry keys, etc...

Very Cool! :D


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

The command line sytax SetACL is complicated, but that's because it's so powerfull. I needed to take a folder with Authenticated Users set to Modify, and deny just Write to one user. CACLS and XCACLS couldn't handle it, and not only that, they caused an error for ACE entries being out of sequence when they were done! (All deny ACEs are supposed to come before permit ACEs.) The SetACL command came out:

$RetCode = RunWait(@ComSpec ' /c SetACL.exe -on "C:\Folder_X\File_Y.cfg" -ot file -actn ace -ace "t:User_Z;p:Write;m:Deny")

The object name and object type work just as well with files, folders, printers, registry keys, etc...

Very Cool! :D

good job man. i thought you might like that one, i knew it had helped me a while back for registry permissions tweaking...

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0