Thursday, 10 January 2013

Mastering icacls.exe in 15 mins



http://www.bohack.com/wp-content/uploads/2009/12/icacls-gui.jpg


 icacls [path] [TABLE 1] [TABLE 2] domain\user:[TABLE 3] [TABLE 4]
[TABLE 5]

examples
icacls E:\Home Directories\%userDir%" /grant:r "MYDOMAIN\%userDir%":(OI)(CI)F
icacls Sales_Folder /grant FileAdmins:(D,WDAC)
icacls * /grant accountName:(NP)(RX) /T
-----------------------------------------


TABLE 1

/grant will grant user permissions or the add option in the GUI.
/remove will remove the user from the DACL and is equivalent to
 the remove option in the GUI.

Note: /remove:g will remove only grants for the user 
      and /remove:d will remove only denys for the user.

/deny is equivalent to the deny column in the GUI 
 and should always be used cautiously.
/setowner is a handy little command which allows you to change 
 the ownership of a file or folder to another user; 
 this is similar to the linux chown command.
/findsid which finds entries in a DACL for a specified SID or user.
/setintegritylevel is a bit out of the scope of this article 
 and may be in a future article.


-----------------------------------------
TABLE 2
/inheritance:e to enable same as a check box in the GUI.
/inheritance:d to disable and copy the permissions 
 from the parent same as the GUI.
/inheritance:r to disable and remove the 
 current permissions again same as the GUI.
-----------------------------------------
TABLE 3
This folder only
This folder, subfolders and files (OI)(CI)
This folder and subfolders (CI)
This folder and files (OI)
Subfolders and files only (OI)(CI)(NP)(IO)
Subfolders only (CI)(IO)
Files only (OI)(IO)
-----------------------------------------
TABLE 4
Simple Permissions

Full Control (F)
Modify (M)
Read & Execute (RX)
List Folder Contents (X,RD,RA,REA,RC)
Read (R)
Write (W)

Advanced Permissions

Full Control (F)
Traverse folder / execute file (X)
List folder / read data (RD)
Read attributes (RA)
Read extended attributes (REA)
Create file / write data (WD)
Create folders / append data (AD)
Write attributes (WA)
Write extended attributes (WEA)
Delete subfolders and files (DC)
Delete (D)
Read permissions (RC)
Change permissions (WDAC)
Take ownership (WO)
-------------------------------------------
TABLE 5
 /T  Traverse all subfolders to match files/directories. 
   
   /C  Continue on file errors (access denied)  Error messages are still displayed.
  
   /L  Perform the operation on a symbolic link itself, not its target.

   /Q  Quiet - supress success messages.

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)