ACL (access list) need some help
Hello, I think I miss something, as I don't now how to set the correct ACL on a folder. I would like to grant the "MINIMUM" rights to a local group called "daemon" on a specific folder. The folder is called "d:\logs", and I need to use "icacls" as I'm using a windows 2008r2 core server, where no graphical interface is available. The group needs the following rights/possibilities in "d:\logs": 1) create "files" in/below d:\logs 2) append data/text to the files created in 1) 3) it should NOT be able to delete the files a) Could someone please give me the exact syntax (for icacls.exe) with the correct minimum rights? b) Is there a good documentation/tutorial that explains the different rights somewhere? As for example S for synchronize or AS, or MA rights are chinese for me .... Thank you very much for your help! Kind regards, Didier - - Didier
May 12th, 2011 8:05am

Hi Didier, This may not fully correct but can be a reference: icacls d:\logs /grant daemon:rw /deny daemon:d Meanwhile please noticed that deny Delete means user cannot rename file either. For more information about icacls please refer to this article: http://technet.microsoft.com/en-us/library/cc753525(WS.10).aspxShaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 5:35am

How are things going? If there is any progress please just let us know.Shaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com
May 17th, 2011 3:48am

Hello, Sorry I didn't notice that I got a reply. No, it does not work. I tested this a minute ago, the user was not able to "cd" into the logs directory. Here is the exact config I'm using. The user "tomcat" is a member of the localgroup "daemon". Here is the current/latest acl of the "logs" subdirectory I'm testing: EXTTC\daemon:(OI)(IO)(DENY)(D) EXTTC\daemon:(OI)(M) EXTTC\daemon:(I)(OI)(CI)(RX) BUILTIN\Administrators:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) Unfortunately ... this does not work either. The user "tomcat" can create files but cannot append data into the file. Do you have any other suggestions I could test? Thank you very much! Didier- - Didier
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2011 3:45am

Ouf I got it. Here is what I needed: EXTTC\daemon:(RX,WD) EXTTC\daemon:(OI)(IO)(R,W) BUILTIN\Administrators:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) Files can be appended, or content can be deleted, but the file itself cannot be physically deleted. Didier- - Didier
May 19th, 2011 9:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics