The icacls.exe command was introduced in Windows 2003 Service Pack 2. It now comes installed by default in Windows Vista, Windows Server 2008 (R2) and Windows 7. So administrators will need to learn this command sooner or later. Recently I found the tool to be very flexible and I extensively documented the options. I mapped the different command line options to the GUI, for the network admins that need the GUI to understand how to use the command line.

The first point that should be made about icacls.exe is that it defaults to edit mode. The original cacls command defaults to replace mode. Next are the commands:

/grant will grant user permissions or the add option in the GUI.
/remove will remove the user from the DACL and is equivalent to
 the remove option in the GUI.

Note: /remove:g will remove only grants for the user
      and /remove:d will remove only denys for the user.

/deny is equivalent to the deny column in the GUI
 and should always be used cautiously.
/setowner is a handy little command which allows you to change
 the ownership of a file or folder to another user;
 this is similar to the linux chown command.
/findsid which finds entries in a DACL for a specified SID or user.
/setintegritylevel is a bit out of the scope of this article
 and may be in a future article.

The icacls command also has an /inheritance command which performs the same function as un-checking the “Include inheritable permission from this object’s parent” in the GUI. This of course presents you with the question of how to proceed; copy the permissions or remove all existing permissions. So the command line you can specify:

/inheritance:e to enable same as a check box in the GUI.
/inheritance:d to disable and copy the permissions
 from the parent same as the GUI.
/inheritance:r to disable and remove the
 current permissions again same as the GUI.

The next thing to learn is how inheritance is propagated for permissions. When using either the /grant or /deny statement you will build the permissions as /grant {user}:{inheritance}{permissions} everything is encapsulated by parenthesis. The default in Windows when applying permissions in the GUI is “This folder, subfolders and files”, but to achieve the default at the command line you need to use /grant {user}: (OI)(CI){permissions} and the permissions should be encapsulated in parenthesis. The table below is to help you formulate your inheritance for permissions:

This folder only
This folder, subfolders and files (OI)(CI)
This folder and subfolders (CI)
This folder and files (OI)
Subfolders and files only (OI)(CI)(NP)(IO)
Subfolders only (CI)(IO)
Files only (OI)(IO)

The last thing to learn is the permissions. You can use macro permissions, which are also called simple permissions or you can use advanced permissions. The simple permissions are the permissions found in the first properties tab under security. The advanced permissions are when you select advanced and you get the full permissions list. So building on the permissions line from above; if we wanted to grant testuser on the folder test and apply modify permissions so all subfolders and files inherited the permissions. The line would be ‘icacls test /grant testuser:(OI)(CI)(M)’

Simple Permissions

Full Control (F)
Modify (M)
Read & Execute (RX)
List Folder Contents (X,RD,RA,REA,RC)
Read (R)
Write (W)

Advanced Permissions

Full Control (F)
Traverse folder / execute file (X)
List folder / read data (RD)
Read attributes (RA)
Read extended attributes (REA)
Create file / write data (WD)
Create folders / append data (AD)
Write attributes (WA)
Write extended attributes (WEA)
Delete subfolders and files (DC)
Delete (D)
Read permissions (RC)
Change permissions (WDAC)
Take ownership (WO)

When you master this command you will be able to do anything with permissions from the command line. Including understanding the SDDL or Security Descriptor Definition Language; which Microsoft uses to create group policy permissions.

The problem exists when you use a script to create the folders and apply the permissions using the cacls.exe command on a Windows 2003 R2 server. A user on a Mac OS X client with not be able to drag files into the folder on a Windows 2003 R2 server share or perform a copy procedure and will result in the error: “You may need to enter the name and password for an administrator on this computer to change the item name “item-name”.”. You may also see the exclamation error if the file has a preview fork attached of “Couldn’t open the file. It may be corrupt or a file format that Preview doesn’t recognize.”. After much reading on this problem I was almost convinced that it was an OS X bug, but I realize now it is actually a flaw in the cacls command. We use a script similar to the snippet of code below to create the directories.

mkdir \\server\share\userdir
cacls \\server\share\userdir /e /t /g userdir:c

explanation:

cacls {file or folder} /e {edits} /t {changes on all sub directories} /g {grants} userdir:c {user:permission of change}

The problem was solved using the command that was introduced in Vista and Server 2003 R2 called icacls.exe. The icacls tool is now included in Windows Server Service Pack 2 and is standard in Vista. This command allows you to set inheritance, which is the root cause of the problem. The inheritance properties were first introduced in NTFS 5.0 with Windows 2000, however something has changed recently in the OS X 10.5 software or Windows Server 2003 R2. The problem also exists in Windows Server 2008 and Windows Server 2008 R2 so the problem is not going away and I am guessing it is OSX at fault.

When setting a directory with the code above, if you use the icacls command to export the permissions structure out to a file you can see the problem. This will export the security into Microsoft’s SDDL language which is documented here http://msdn.microsoft.com/en-us/library/aa379567(VS.85).aspx.

icacls.exe \\server\share\userdir /save aclfile.txt

notepad.exe aclfile.txt

D:(A;OICI;0x1301bf;;;S-1-5-21-123456789-123456789-123456789-12345) (A;OICIID;FA;;;DA)(A;OICIID;FA;;;SY)
(user:chage) (domain admin:full) (system:full)

The problem is not is not evident until we set the permission properly with the icacls.exe command.

icacls \\server\share\userdir /t /c /grant userdir:(OI)(CI)M

explanation:

icacls {file or folder} /t {changes on all sub directories} /grant {grants} userdir:(OI)(CI) {see below}M { change/modify }

CI CONTAINER INHERIT
OI OBJECT INHERIT
NP NO PROPAGATE INHERIT
IO INHERIT ONLY
ID INHERITED
SA SUCCESSFUL ACCESS FLAG
FA FAILED ACCESS FLAG

Complete list http://msdn.microsoft.com/en-us/library/aa374928(VS.85).aspx

D:AI(A;OICI;0x1301bf;;;S-1-5-21-123456789-123456789-123456789-12345) (A;OICIID;FA;;;DA)(A;OICIID;FA;;;SY)

Explanation:

D: - Defines the DACL
AI - is the MISSING Auto Inheritance Flag
(A;OICI;0x1301bf;;;S-1-5-21-123456789-123456789-123456789-12345) - is the user’s SID and permissions
(A;OICIID;FA;;;DA) - is the “Domain Admin” permissions identified by the trailing DA
(A;OICIID;FA;;;SY) - is the “System” permissions identified by the trailing SY

The AI in the DACL or Discretionary Access Control List is missing when using the cacls command. My guess is that the client when using Windows is responsible for the completion and writing of the DACL. When a Mac OS X client copies a file they utilize SAMBA which does not carry the DACL and consequentially fails. This would explain the empty file that gets created when an OS X client drags and drops the file. The file entry gets created, but is inherited with only the original permissions that have inheritance from above. This same problem could also exist on Linux or UNIX using SAMBA since it is SAMBA that drops the ball.

The Fix:

Use ‘icacls \\server\share\userdir /t /c /grant username:(OI)(CI)M’ to grant access to NTFS folders and replace all entries in scripts using the cacls command.

The hyperlink command in excel actually does the reverse of what I needed; it creates a hyperlink out of the URL and a friendly name and I needed the URL from the friendly name. So I dug in a little deeper and treated the URL like an object. It has properties and those properties can be exposed. The hyperlinkcell object has a type of range so it is passed to the function of GETURL. The first hyperlink in the range we will want the property of the address. Then we simply pass it back to the function so that we can display it.

To install this all you need to do is:

1. Hit ALT + F11 (Opens Visual Basic Editor)
2. Click on Insert -> Module (adds a module to your excel file)
3. Paste the code below for the function of GETURL
4. Hit ALT + Q (Closes the Visual Basic Editor)

Now use the =GETURL(cell) to get the URL

Example: =GETURL(A1) will return the URL for the Hyperlink displayed in cell A1

Function GETURL(HyperlinkCell As Range)

 GETURL = HyperlinkCell.Hyperlinks(1).Address

End Function

Yep, it’s replaced the standard Windows search companion (and the friendly dog – Rover from MS Bob). That’s all well and good, except it’s an indexed search so doesn’t necessarily reflect what’s really on disk. And since by default my program files folder isn’t indexed, it never shows any results no matter what I search for – until I go in and change the settings then wait for it to get around to indexing the folders.

There’s a link at the bottom of the tab to use the trusty old search companion, but it means clicking it every time. Oh, and before you ask, no, there isn’t an option to disable this irritating integration in WDS! I hate it when software comes along and arrogantly replaces existing functionality with itself and gives no way to remove it.

You can in fact turn it off… Simply open RegEdit (hit Start > Run then type ‘regedit‘).
Go to the following node:

HKEY_CURRENT_USER\Software\Microsoft\Windows Desktop Search\DS

Then double-click on ‘ShowStartSearchBand‘ and set the value to ‘0‘. Close that and you’re done. The next time you click ‘Search’ in explorer the old and reliable search companion will appear. This applies to operating systems before Windows Vista, since Vista has far better search that actually works!

Generally when you install the Hub Transport Role it will ask you to create a Routing Group Connector in the GUI Wizard. However if you are like me and move roles around you will find the connector is broken. So first we need to learn how to test it. Pretty simple make a new user’s mailbox on the Exchange 2007 unit and from a mailbox located on Exchange 2003 unit send a piece of mail. If it works the Exchange 2007 user’s mailbox will have the email. Now create an email on the Exchange 2007 unit and send it to the user on the exchange 2003 unit. This is the quickest way to check the Routing Group Connectors, granted other problems can exist like the connector permissions.

If it fails you will need to delete the connector and recreate the connector. So first let us examine the connectors. You can use the “Get-RoutingGroupConnector” to display any existing Routing Group Connectors. By attaching an “fl” to the end of the command we can get full details “Get-RoutingGroupCOnnector | fl”.

Using the “Remove-RoutingGroupConnector” command we can remove any broken Routing Group Connectors. We will get to that in a minute however before you create a new “Interop RGC” connector” you need to verify that you have performed the “How To Suppress Link State Updates” Technet article on Exchange 2003. Then Identify the Bridge Head server in your 2003 and 2007 Exchange groups, these will be the connector endpoints.

Now using the “Remove-RoutingGroupConnector” command remove the existing connector.

example: Remove-RoutingGroupConnector -identity “connector name or GUID”

Now to create the two connectors to move mail in both directions using the “New-RoutingGroupConnector” command.

example: New-RoutingGroupConnector -Name “Interop RGC” -SourceTransportServers “Ex2007Hub.example.com” -TargetTransportServers “Ex2003.example.com” -Cost 100 -Bidirectional $true -PublicFolderReferralsEnabled $true

That will create a bidirectional link between the two servers however now we have the problem of removal, when you are done with the Exchange 2003 unit. If you perform a “Remove-RoutingGroupConnector” on the “Interop RGC” connector it will fail with the error of Multiple Instances.

example: Remove-RoutingGroupConnector -identity “Interop RGC”

Not a problem you can handle this two ways: The first is to delete the link from the 2003 Echange Server Manager, the second is the correct way. Use the command “Get-RoutingGroupCOnnector | fl” to display the full GUID from the 2007 EMC and then delete each connector by their GUID. This is the best way as the EMC will gracefully destroy the connectors and supress future errors.

example: Remove-RoutingGroupConnector -identity “Connector GUID”

After searching as to why this happens or what exactly happens, it states in http://technet.microsoft.com/en-us/library/bb123981.aspx that this will happen if the 2003 tools are used. What I suspect is that certain attributes that need to be set are not when using the Exchange 2003 ADUC. When the Exchange Management Console reads the mailbox it shows a Legacy Mailbox. So uninstall Exchange 2003 tools from other administrators workstations, you can reference the Knowledge Base Article KB931747 at http://support.microsoft.com/kb/931747 if they need proof.

To rectify the “Legacy Mailbox” and convert it back to a “User Mailbox” that can be managed in the Exchange Management Console: open the Exchange Management Shell and type in ‘Set-Mailbox -Identity “Alias” -ApplyMandatoryProperties’. Replace Alias with the alias of the mailbox that can be found in the Exchange Management Console.

Some things the GUI is great for like exploring a file structure. Many times you are browsing the GUI and realize you need to drop to a command prompt to start a task. Rather than clicking ‘Start’, then ‘Run’, typing ‘CMD enter’ and then changing directory, it would be nice to right click and drop to a CMD prompt from the Windows context menu.

I have been using this little crafted registry hack for years now. There are two needs for a command prompt one is right clicking on a file or other object and the other is right clicking on a folder. The ‘Command Prompt Anywhere.reg’ below takes care of both instances. The first part edits the default context menu so that the ‘CommandPrompt’ shows up for files and objects not defined as a folder. The second part edits the folder context menu so that ‘CommandPrompt’ shows for folders.

There is one limitation It will not work for network locations, this is a limitation of using the ‘cd’ command and can be changed using the ‘pushd’ command. The ‘pushd’ command will temporarily map the network location to the first drive letter available starting from ‘Z’ and working backwards in the alphabet. However if the ‘cd’ command in the scripts is replaced with ‘pushd’ you will need to keep the network mappings tidy, by using either a ‘net use z: /d’ or ‘popd’ before you exit the prompt.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell]

[HKEY_CLASSES_ROOT\*\shell\CommandPrompt]

[HKEY_CLASSES_ROOT\*\shell\CommandPrompt\Command]
@="cmd.exe /k cd \"%1/..\""

[HKEY_CLASSES_ROOT\Directory\shell]

[HKEY_CLASSES_ROOT\Directory\shell\CommandPrompt]

[HKEY_CLASSES_ROOT\Directory\shell\CommandPrompt\Command]
@="cmd.exe /k cd \"%1\""

To install just copy and paste it to a file called ‘Command Prompt Anywhere.reg’,  then double click it and answer ‘yes’ to the warning.

When you install Microsoft IIS, it defaults the first web site called “Default Web Site” to Port 80 and listens for HTTP requests on all assigned IPs. Sometime we need to install an application that requires SSL or we have chosen to require all communications be encrypted with SSL for the web application. IIS can be told to “Require Secure Channel (SSL)” and refuse all HTTP or non-SSL traffic; however it is culture to prepend the HTTP. So a redirection is needed from the HTTP request to an HTTPS request or Port 80 TCP to Port 443 TCP.

In my example, the server I installed uses a self-signed cert that was generated using the IIS Resource Kit 6 tool SelfSSL. On your site you may choose to use a public CA or internal CA trusted by your browser. So the first step is to install your application and install a Certificate through the “Directory Security” tab of the web site’s properties. On the Directory Security tab find the section titled “Secure Communications” and click “Edit”; you will then see the “Require Secure Channel (SSL)” option (see figure below).

Once this is selected the site will return “HTTP Error 403.4 – Forbidden: SSL is required to view this resource. Internet Information Services (IIS)”, if clear text is used; not the most friendly error for your users.

To solve this simple problem we will create a new web site that listens only for HTTP on port 80 TCP and redirects to the URL via HTTPS on port 443 TCP. You will need to re-assign an unused port number to the SSL site and you still need a directory to point the new site to.

Step 1 – Right click on your original site and click “Properties” then click on the “Web Site Tab”. Change the “TCP Port” under “Web Site Identification” to an unused port like 8080.

Step 2 – Create a “redirection” file folder under c:\inetpub or your root web files. I usually create a file that describes not to ever delete the folder. You need to create this folder, because your redirection site needs to point to a folder even if it is not going to use it.

Step 3 – Create the “Redirection” Web Site by right clicking “Web Sites” in the MMC and selecting “New” then “Web Site” from the context menu. Follow the wizard and name it “Redirection” and point it to the directory created in Step 2; assume all defaults.

Step  4 – Right click the web site created in Step 3 and select “Properties” from the context menu, then select the “Home Directory” tab. From this tab you will click on “A Redirection to a URL” then type in your redirection URL of HTTPS://www.bohack.com.

As best practice; I recommend to keep all scripts in a folder at the base of the %systemdrive% or C: drive and include it in your system %path% variable. This makes it easy to take your tools with you, when you redo your laptop or desktop. I personally use a folder called ‘sys’, but you can select your own. Just be sure to include the folder in your %path% variable.

Even if you put all your files in a particular folder sometimes your just looking for that particular file in the path. So I have written a Windows version of the UNIX ‘which’ command. Just copy the script below and save it as ‘which.cmd’ in your ‘sys’ folder.

Copy and Paste the script below into notepad and save it as “which.cmd”

@echo off
rem /
rem / which.cmd - 110108 - bohack.com 2008i     /
rem / Windows version of the UNIX which command /
rem /
setlocal
if [%1]==[] goto :errhand
set whichpath=%~dp$path:1
if [%whichpath%]==[] goto :end
echo %whichpath%%1
goto end

:errhand
echo.
echo Usage: %0 (filename to search in path)

:end
endlocal

Once it’s started via the command of ‘pingmon servername’. It will echo the time it started monitoring, then the alive time of a successful ping back. Once the host goes dead, it will echo the time it went dead or lost ping. Then it will echo the time it has gone alive again and quit. Simple batch script with one purpose, to make the administrator’s life simple.

Just copy and paste the script below into notepad and save it as “pingmon.cmd”

@echo off

rem Bohack - pingmon.cmd - 2002i

set ipname=%1

if {%ipname%}=={} (GOTO :errhand)

set /a calive=0
set /a cdead=0
set /a cexit=0

echo.
echo.
echo Monitoring %ipname%
echo.
echo ** Started %date% - %time%
echo.

:loop

FOR /F “skip=3 tokens=1,2*” %%a IN (’ping -n 1 %ipname%’) DO CALL :checkdo %%a
if %cexit% EQU 1 (goto :mend)

goto :loop

:checkdo

set reply=%1
if {%reply%}=={} (goto :end)
set replytruc=%reply:~0,5%
if /I {%replytruc%}=={Reply} (goto :alive)
if /I {%replytruc%}=={Reque} (goto :dead)
goto :end

:alive

if %calive% EQU 0 (echo ** Alive %date% - %time%)
set /a calive=1
if %cdead% GTR 0 (echo ** Alive %date% - %time%) & (set /a cexit=1)

goto :end

:dead

if %cdead% LSS 1 (echo ** Dead  %date% - %time%)
set /a cdead=1

goto :end

:errhand

echo.
echo.
echo Usage PingMon {computer or IP}

:mend

echo.
echo.

:end