Re: Lost all security permissions.

---

• From: "Pegasus \(MVP\)" <I.can@xxxxxxx>
• Date: Sun, 9 Dec 2007 10:19:55 +0100

---

FILEACL 2.8.0.1, Copyright Guillaume Bordier 1999, gbordier@xxxxxxxxxxxx or
g_bordier@xxxxxxxxxxx
Display/Modify File permissions (local and remote)
Running Windows NT 5.1 Service Pack 2
usage :
fileacl <File/Directory> [/{S|G|R|T|O}
{trustee}:[!][mask][/[!]mask][/[!]mask] [options]
or :
fileacl <File/Directory> [/{S|G|R|T|O}
{trustee}:[mask][:Inheritance[/Inheritance]...] [options]
mask = {U,R,Rr,Re,Ra,W,Ww,We,Wa,A,P,p,X,Dc,D,F}|0xXXXXXX}
inheritance can be given using XCALCS style : IO,OI,NP,CI,FO
or explorer like abbreviations : F,FF,FSF,FSFF,SFF,SF,NP
/G=Grant /S=Set /R=Revoke /T=Suppress DENY Aces /O change owner /D Deny
U=Unspecified R=Read W=Write X=Execute F=Full Control D=Delete Dc=Delete
Child O=Take Ownership P=Set Permissions
Warning : for same inheritance, Grant is additive, Set is not (better use
/S).
Mask can be a letter-coded permissions string or an Hexadecimal mask

Display mode Options
/LINE operate in single-line mode display all ACEs on a file or directory
on One row
/OWNER Get the owner name as well
/NOINHERITED do not print inherited rights
/SIMPLE Merge inherited and direct ACL
/BATCH Generate a batch file for reapplying the same permissions, use with
/SUB
/BATCHREAL Same as /BATCH, generate a protected ACL for the given root dir
/RAW[SID|MASK] Show the RAW ACE SID and/or Mask
/RAWSECDESC [WIN2K] Show the RAW Security Descriptor
with Textual Form ou may use this to generate Win2K
securitytemplates and apply them with secedit
/QUOTE add quotes to file and directory names

Change mode options
/PROTECT This permissions will be protected from upper levels permissions
propagation [WIN2K]
/INHERIT Force Propagation from upper levels [WIN2K]
/REMOVEDENY Remove all DENY Aces
/NOROOT use with /SUB, apply rights to all subdirs/subfile except the root
dir
/REPLACE deletes existing ACL and replace with specified (SET )

Both mode options
/SUB[:n] treats n levels of subdirectories as well
/FILES treats files in directories as well
/NODIRS treats files only (/FILES implicit)
/FORCE uses SeBackupPrivilege and SeRestorePrivilege to Treat Objects
without any rights nor ownership
/NT4 Enforce NT 4.0 compatibility for Write Masks later version will test
dest computer

Rarely used :
/DEBUG give debug information
/VERBOSE give [many] debug information
/MANUALACE Create Ace manually (do not use SetEntriesinACL, default for
NT4)
/USEOLDSEC Use SetFileSecurity instead of SetNamedSecurity, default for NT4
Warning REPLACE deletes existent ACL on file !

For Directories, permissions can be written with 3 different format

Let's first define "inheriting" :
-Inheriting files are files that will be created in the future in that
directory
-Inheriting directories are sub directories that will be created in the
future in that directory
-After W2K inheriting also means permissions applied to existing files and
directories
Moreover, If you ask fileacl to apply to all existing files and
subdirectories
it will use these inheriting Rights to apply to all subdirectories and
files
XXXX means XXXX is the permissions for the directory, the inheriting Files
and Sub-directories
XXXX/YYYY means as usual : XXXX is the permissions for the directory and
inheriting Sub-directories, YYYY for the permissions on inheriting files.
XXXX/YYYY/ZZZZ means : XXXX is the permissions for the directory, YYYY is
the
permission for inheriting files (files that will be created later), and ZZZZ
is the permission for inheriting
to put non heritable permissions, use XXXX/U/U, to put inherit-only
permissions, use U/XXX/ZZZ

Adding '!' before permissions will prevent them to propagate beyond the
first
level like checking the "apply permissions to objects and containers in this
folder only"
you also can give one mask and set the inheritance you want using to ways
1) a combination of XCACLS style keywords
CI : Container Inherit
OI : Object Inherit
IO : Inherit Only
NP : Non propagation beyond first level
2)an abbreviation of explorer inheritance selection box terms
FO : Folder only (no inheritance)
F : Files only (inherited to files)
FF : Folder and files
SF : SubFolders
SFF : SubFolders and files
FSFF : Folder and subfolders and files (default)
FSF : Folder and subfolders
NP : Non propagation beyond first level
Those should be placed after the access mask separated by a colon ":"
and separatedfrom other inheritance flags with a slash "/"
example :
FILEACL c:\temp /s user:R:OI/NP
equals
FILEACL c:\temp /s user:R:FF/NP
equals
FILEACL c:\temp /s user:R/!R/U
NOTE: inheriting items are items created under the current directory
AFTER the application of new permissions
With W2K and later, this permissions also propagate to the existing items
also

Ex: FILEACL \\testsrv\d$\testacl /S domain\user1:RWXD/W/RX /S
administrators:F
will set Full right and inheritance on \\testsrv\d$\testacl for
administrators
and Modify right on the directory, write only on created files, and RX on
created directories
NOTE for v2.4 and above : To use the /FORCE directive, the user need
SeRestorePrivilege, SeBackupPrivilege and SeTakeOwnershipPrivilege from the
user manager for the server
New with 2.5, you can now give a TEXTUAL SID instead of the username and an
Hexa mask (0x1000000) instead of a text mask
2.6 is W2K compatible it checks local machine for W2K, when you set perms
from a
W2K Workstation to an NT4 server, be sure to use /NT4 otherwise, WRITE masks
may not show In NT4 GUI
WIN2K : Autopropagation feature : keep the protected/unprotected (agains
propagation) status of the permission
unless /PROTECT or /INHERIT is given

OUTPUT :
d:\test;Administrators:F[I] Administrators have Full Control from
Autopropagation([I])
d:\test;Everyone:F/RW Everyone has Full Control over this directory and
future sub-directories and RW on future Files
d:\test;Guest:F/W/R Guest has Full Control in the dir, W on future files,
and Read on future subdirs

Detailed Permissions Mapping
U :no right, use to set permissions with special inheritance
Rr : Read Data / List Directory (FILE_READ_DATA)
Ww : Write Data / Add Files to directory (FILE_WRITE_DATA )
Ra/Wa : Read / Write Attributes (file or dir, Read-only, Hidden ...)
Re/We : Read / Write Extended Attributes (compressed, encrypted ..)
p/P : Read / Write Permissions
A : Append data to file / Add subdir to directory
D : Delete File / Delete Dir
Dc : Delete Child (sub file/sub dir)
X Execute File/ CD to dir

R = Rr+Ra+Re+p
W = Ww+A+Wa+We (NT4 : W=Ww+A+Wa+We+P+p
File Deletion is performed if :
Parent dir has Rr and Dc access OR file has D (not Dc)
Minimum Access for reading a file is Rr on parent dir and RrRep on file
Minimum Access for saving an open file is Rr on parent and RrRepW on file
Minimum Access for creating new file is Ww on parent dir
Minimum Access for creating new dir is A on parent dir


"Eli" <eli@xxxxxxxxxxxxxxxx> wrote in message
news:48B6DB2D-3818-479E-B7F4-F71297ADC41F@xxxxxxxxxxxxxxxx

I'm getting errors.
can you give an example command. maybe i'm doing something wrong.

"Pegasus (MVP)" wrote:

"Eli" <eli@xxxxxxxxxxxxxxxx> wrote in message
news:52DA95EF-6A04-460A-8EC2-5930B2678D0F@xxxxxxxxxxxxxxxx

Need help with file security permissions.
There are a lot of files that for some unknown reason lost all
permissions
info.
If I try to open or copy them I get access denied error.
Using cacls command doesn't help - denied.
If I go to security tab there are no permissions set. I have to take
over
ownership of the file, apply and then close it. Then open security tab
again
and add "system" account full access, then apply. After that I can see
all
the permissions that were supposed to be there originally.
There are about 5000 files like that spread out around 100s of
different
folders with different hierarchy.
Anyone know why it could of happen and how to fix it?

You could use subinacl.exe (Windows Resource Kit) or fileacl.exe
(http://www.microsoft.com/downloads/details.aspx?FamilyID=723f64ea-34f0-4e6d-9a72-004d35de4e64&displaylang=en)
to seize ownership of a large number of files and folders. Make sure
to test the commands first!

.

---

• References:
  • Re: Lost all security permissions.
    • From: Pegasus \(MVP\)

• Prev by Date: Re: Error Code: 8: 0x80004005 Windows Product Activation
• Next by Date: Re: PXE-E53
• Previous by thread: Re: Lost all security permissions.
• Next by thread: RE: Lost all security permissions.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ADPREP /forestprep fails ... Attributes Tab says "No information is available for this object" The ... Security Tab brings up the Security box "You do not have ... Set the "Allow inheritable permissions from parent object to propagate ... > {This object is protected from inheriting permissions from the> parent} ... (microsoft.public.windows.server.migration) ADPREP /forestprep fails ... ADPREP is failing near the end of the process, ... Effective Permissions on this object are: ... All Everyone SPECIAL ACCESS ... {This object is protected from inheriting permissions from the parent} ... (microsoft.public.windows.server.migration) Re: Going crazy over this one! ... uncheck "Allow inheritable permissions from the parent to propagate to ... Place a check on "Allow inheritable permissions from the parent to ... >> If it is Inheriting from above get a System state backup ... (microsoft.public.windows.terminal_services) Re: Something about mailbox rights ... if you are looking at the Mailbox Rights and USERS has Full ... Mailbox Access permissions and the checkbox is gray, ... way up to find out where the account is inheriting permissions from. ... Server (also can do this in Exchange System Manager) - if inherited at that ... (microsoft.public.exchange.admin) Re: Samba and Read Only documents ... windows computers couldn't access the shared folder. ... directory mask = 0775 ... Linux permissions still apply. ... (Ubuntu)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)