Jump to content

Setting a DENY ACE on a file

PsaltyDS
 Share

Recommended Posts

PsaltyDS Universalist

PsaltyDS

Posted
Posted (edited)

I'm working on an install script that needs to specificaly set the DENY ACE (access control entry) for Write on a file, for a specfic user. The CACLS and XCACLS command line utilities don't seem to be able to do this. It looks like there is a scripted front end from microsoft called XCACLS.VBS that adds this ability, but I would like to do it from inside my AutoIT script, without calling external VBS scripts.

Anybody done an AutoIT function that will do this?

:D

Edit: Fixed typos.

Edited by PsaltyDS
Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
seandisanti Universalist

seandisanti

Posted
Posted

I'm working on an install script that needs to specificaly set the DENY ACE for Write on a file, for a specfice user. The CACLS and XCACLS command line utilities don't seem to be able to do this. It looks like there is a scripted front end from microsoft called XCACLS.VBS that adds this ability, but I would like to do it from inside my AutoIT script, with calling external VBS scripts.

Anybody done an AutoIT function that will do this?

:D

if i remember correctly, there was a command line utility that used to be reccommended alot for permissions, maybe SetACLS ? if you do a search for set permissions on the forum i'm sure you'll find a link to it. i believe it can do what you want...
PsaltyDS Universalist

PsaltyDS

Posted
  • Author
Posted (edited)

if i remember correctly, there was a command line utility that used to be reccommended alot for permissions, maybe SetACLS ? if you do a search for set permissions on the forum i'm sure you'll find a link to it. i believe it can do what you want...

SetACL actually looks like a very cool project. But I would like to do this without calling on anything that is not already on the Server. The leaves me the file properties GUI, COM or DLL call, CACLS.exe, and XCACLS.exe - at least as far as I can tell.

Just so I can move on, I'm going to script the GUI, but that's my LEAST favorite option (just above doing it manually).

:D

Edit: Changed my changed mind again! :P The more I look at that SetACL.exe utility the more I like it. I'm just going to put it in the install @ScriptDir and call it from there.

:D

Edited by PsaltyDS
Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
jefhal Universalist

jefhal

Posted
Posted

Edit: Changed my changed mind again! :D The more I look at that SetACL.exe utility the more I like it. I'm just going to put it in the install @ScriptDir and call it from there.

I just used SetACL for a project to add "full" permissions to "everyone" on the %windows%\temporary internet files folder which is a weird folder. Nevertheless, SetACL worked like a charm where XCACLS wouldnt' (couldn't?) do the job...
...by the way, it's pronounced: "JIF"... Bob Berry --- inventor of the GIF format
PsaltyDS Universalist

PsaltyDS

Posted
  • Author
Posted

I just used SetACL for a project to add "full" permissions to "everyone" on the %windows%\temporary internet files folder which is a weird folder. Nevertheless, SetACL worked like a charm where XCACLS wouldnt' (couldn't?) do the job...

The command line sytax SetACL is complicated, but that's because it's so powerfull. I needed to take a folder with Authenticated Users set to Modify, and deny just Write to one user. CACLS and XCACLS couldn't handle it, and not only that, they caused an error for ACE entries being out of sequence when they were done! (All deny ACEs are supposed to come before permit ACEs.) The SetACL command came out:

$RetCode = RunWait(@ComSpec ' /c SetACL.exe -on "C:\Folder_X\File_Y.cfg" -ot file -actn ace -ace "t:User_Z;p:Write;m:Deny")

The object name and object type work just as well with files, folders, printers, registry keys, etc...

Very Cool! :D

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
seandisanti Universalist

seandisanti

Posted
Posted

The command line sytax SetACL is complicated, but that's because it's so powerfull. I needed to take a folder with Authenticated Users set to Modify, and deny just Write to one user. CACLS and XCACLS couldn't handle it, and not only that, they caused an error for ACE entries being out of sequence when they were done! (All deny ACEs are supposed to come before permit ACEs.) The SetACL command came out:

$RetCode = RunWait(@ComSpec ' /c SetACL.exe -on "C:\Folder_X\File_Y.cfg" -ot file -actn ace -ace "t:User_Z;p:Write;m:Deny")

The object name and object type work just as well with files, folders, printers, registry keys, etc...

Very Cool! :D

good job man. i thought you might like that one, i knew it had helped me a while back for registry permissions tweaking...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...