Hello Everyone, I am attempting to set permissons for a local user account so that they have read and execute permissions to a folder and its contents but are denied any modify or delete permissions. Here is my following syntax: icacls C:\test /deny %computername%\user:(W,D) /T icacls C:\test /grant %computername%\user:(RX) /T When i run this command, it succeeds in applying the requested permissions but when i login with my user that i applied the settings for, i receive an access denied error when attempting to open the folder. The odd thing about all of this is that when i set these same permissions by hand, it works just fine, but if i set those same permissions via this script, it deny's the user read access even though my ACL is clearly allowing read access. Any help is greatly appreciated, Devon

I think you have a problem with denying Write permissions on a folder where you want to allow Execute permissions. I'd start by removing the Deny Write block and see if that essentially cures your problem - then check if the folder fills up with temp files because the user isn't allowed to delete them. Deny permissions are always tricky to use, and generally best avoided if possible.Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

After removing the deny write block in my script, the user is now able to freely modify, delete, read, and execute my files in the folder. I looked at the ACL and according to the ACL, it is denying delete access but in practice it is not. It feels like ICACLS is broken or is doing something in the background because when i set these same permissions by hand within the ACL, it works fine.

Set permission manually the way you want them, then use ICACLS to read the permissions back - see what it says they are. Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

ICALCS became too much of a hassle to impliment with automation of assigning local users with diffirent SID's that i found a powershell script that performs the same functionality as ICALCS and works so much better. I found the powershell script here http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx. I modified the script a bit to reflect my needs, the following is my finalized script which i have tested and worked with each test: New-Item C:\test Type Directory Get-Acl C:\test | Format-List $acl = Get-Acl C:\test $acl.SetAccessRuleProtection($False, $True) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("user","Read", "ContainerInherit, ObjectInherit", "None", "Allow") $acl.AddAccessRule($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("user","Write, Delete", "ContainerInherit, ObjectInherit", "None", "Deny") $acl.AddAccessRule($rule) Set-Acl C:\test $acl Get-Acl C:\test | Format-List Thank you for your help, Devon

You're welcome - glad you managed to get it sorted!Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth