cacls “C:\Program Files\XXXX” /e /t /g “Domain\domain users”:C

I do it all the time…

Depending on the files you have you may which continues to change DACLs, ignoring errors.

This work cacls “C:\Program Files\XXXX” /e /g “Domain\domain users”:C
for the first folder not for sub folder

How do have add “domain users” to the all the subfolder and files Using Icacls

Subfolders and files only (OI)(CI)(NP)(IO)

When I use the above it gives lower folders “Subfolder only” permissions, which is different from when choosing “subfolder and files only” via the GUI. I found the following line works the same as the GUI:

Subfolders and files only (OI)(CI)(IO)
cheers
PS. Otherwise this has been one of the more useful ICACLs related pages that I have read (and I have read lots).

We have a badly maintained dacl structure with ad hoc added users and groups everywhere.

Now somehow the local users group has read rights inherited through the whole tree. We don’t want that!.

I can’t block inheritence, remove the local users group and propagate this to all child objects, because I lose all the ad hoc users and groups!!!!

Question; how can I remove only the specific group from all acl’s troughout the tree while preserving the rest of the settings.

The reason that I was considering icals in lieu of secedit was the KB Article ID: 313222 – Last Review: September 23, 2011 – Revision: 15.0. It said:

“The use of “secedit /configure” to import the default security template, dfltbase.inf, is unsupported nor is it a viable method to restore default security permissions on Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 computers.”

The same article said that using icacls /restore would be good. The problem is, you must have a previous backup from the icacls /save command. I do not have one or know of one, but I would assume that there would be some file that would have the “initial” settings employed an admin or user creates the first folders in a disk or partition. Whatever is assigned during that creation would be the “basic” settings, that would subsequently be manually modified by a user, if desired.

Right now, the only idea I have is to go to another satisfactorily operating Win 7 computer and to perform an icacls /save and then copy that file to this computer. The problem is that the restore affects all partitions and disks whereas I only want to modify the disks containing my copied files (rescued from my system prior to the rebuild).

Is there such a basic set of simple/advanced permissions that are available?

My problem is all the data on the new drive is in the same state, read only and hidden.

Since we are talking about 100,000 files, mostly images, docx and xls files, is there a way, using takeown and icals to set these files back to “factory” ownership and permissions. Is it as simple as:

icacls * /T /Q /C /RESET

but what ARE those permissions and who would the owner be.
Also what are the “standard” security characteristics.

bob