Fig.1
Let's assume you are responsible for managing permissions on a file server with a folder structure resembling the one in Figure 1.
There you'll see a root folder named Shared that contains the Finance
and Marketing subfolders, which contains additional subfolders. You'll
also notice that the folders are configured so that increasingly smaller
groups of people can access lower-level shares. For example, Finance
Users can read information in the Budget folder, but only Budget Users
can write to it. A restricted folder is also present at the bottom that
no one should be able to see except those with Restricted access. This
is a common structure on many file servers today.
You can use icacls to set permissions like those in Figure 1,
but exactly how to do this is not immediately obvious. To set the
indicated permissions for just the Metrics folder, you would use the
following syntax:
icacls C:\Shared\Finance\Metrics /grant:r "Finance Users":(OI)(CI)M /grant:r
"Metrics Users":(OI)(CI)M
Unfortunately,
with great power comes great complexity. As you can see, icacls' syntax
can be quite impenetrable, at least until you understand how Windows
permissions work. Remember that an individual permission can be applied
to a single folder object or to the object plus its subfolders and
files. This is the concept of inheritance. When you apply the simple
Modify permission within the explorer GUI to a folder, as in Figure 2, you are actually applying it to that folder as well as all subfolders and files.
Fig.2
Figure 2 Applying Simple Permissions Automatically Sets Inheritance for Subfolders and Files.
In
the command line above, you can see that for each group, the M for
modify comes after (OI)(CI), which stand for "object inherit" and
"container inherit" respectively. Both of these are necessary if you
want icacls to apply the simple modify permission. You'll also notice
that ":r" is added after the /grant switch. This modifier instructs
icacls to clear any directly applied permissions on the object before
adding the permissions you set in the command line.
Complex,
yes, but Windows permissions are complex. Keep in mind that the end
goal—reusable commands—will actually make things much simpler.
To
continue the example, let's walk through the entire set of icacls
command lines you would use to reset and correctly apply the stated
permissions to the Finance folder structure as well as its root:
Icacls C:\Shared /inheritance:r /grant:r "Domain Users":(OI)(CI)R /grant:r
"File Admins":(OI)(CI)F
Icacls C:\Shared\Finance /inheritance:r /grant:r "Finance Users":(OI)(CI)R
/grant:r "File Admins":(OI)(CI)F
Icacls C:\Shared\Finance\Budget /grant:r "Budget Users":(OI)(CI)M
Icacls C:\Shared\Finance\Metrics /grant:r "Metrics Users":(OI)(CI)M
The
first line actually accomplishes two tasks. It starts with the
"/inheritance:r" switch to completely remove all inherited permissions
from the folder above so that the Shared folder doesn't inherit. This
breaks the Shared folder's inheritance from the folder immediately above
it. Once this is done, the Read permission for is set for Domain Users
and the Full Control permission for File Admins.
Because
we don't want Domain Users to have access to the Finance folder at all,
line two breaks and clears the permissions inheritance once again. It
then applies the Full Control permission to File Admins and the Read
permission to Finance Users.
With
lines three and four, we don't want to break the permissions
inheritance because both the File Admins and the Finance Users groups
should have the same access to these subfolders. In these two lines, we
are simply granting another permission—in addition to the existing
inherited permissions—so that the Budget Users and Metrics Users can
write to these folders.
Setting
permissions for the Marketing folder is slightly different. We use the
same permissions flow for the Product folder as we did for the
subfolders under Finance, but the Restricted folder will be treated a
bit differently. Let's suppose that folder contains highly secret
documents that should be seen by only a very few individuals. Your first
thought may be, "A-ha! Here, I'll use the Deny permissions to prevent
the wrong users from accessing this folder!"
But
keep in mind that the Deny permissions is actually far too powerful a
setting for most situations as it automatically overrides every other
permission. Therefore, adding the Deny permission to the Marketing Users
group for this folder means that any Restricted users who are also
Marketing users would be shut out. A more appropriate solution here is
to break the inheritance again and simply eliminate all permissions for
the Marketing Users group. Thus, the three icacls command lines required
to set the permissions for this structure are
Icacls C:\Shared\Marketing /inheritance:r /grant:r "Finance Users":(OI)(CI)R
/grant:r "File Admins":(OI)(CI)F
Icacls C:\Shared\Marketing\Product /grant:r "Product Users":(OI)(CI)M
Icacls C:\Shared\Marketing\Restricted /inheritance:r /grant:r "File Admins":(OI)
(CI)F /grant:r "Restricted Users":(OI)(CI)M
No comments:
Post a Comment