0

We would like to change the permission of the folder which currently has full permission to a user with the parent inheritance with the full permission. I would like to apply 'Deny' permission to the user for all operations other than read and execute using the 'icacls' command.

When we try to apply the deny permission, the operation shows successful, but the user is not able to open the folder itself. i.e, even the read permission does not apply. We have tried all the commands mentioned in this question, including the ones received in the responses but none of them are working. We have also referred to this forum question but did not find a solution.

However, when we manually try to apply the 'Deny' permission using the Folder Properties -> 'Security' tab it works as expected and the user gets only the read and execute permission. We also tried removing the user from the 'Administrators' group and then perform the deny operation through the command but it still doesn't work and even the read permission gets disabled.

We are trying the below set of commands:

takeown /f "E:\foldername" /r /d y

:: Reset inheritance on the directory and sub-directories
icacls "E:\foldername"  /reset /T


:: Set read-only permissions for user
icacls "E:\foldername" /grant "test1":(OI)(CI)(R,X)
icacls "E:\foldername" /deny "test1":(OI)(CI)(W,D)

Using the above commands, we see that the permissions gets applied to folder's properties, but as soon as the user clicks on the folder, a prompt appears to 'Request permission' and then even read access is not available.

Screenshot of permissions given manually

We are using PCs with Windows 10 and Windows Server 2012 R2. Please assist us in solving the issue.

UPDATE:

We have also tried using the below commands to include Read attributes, read extended attributes, list folder/read and traverse/execute but issue is still present.

icacls "E:\foldername" /grant "test1":(OI)(CI)(R,X,REA,RD,GR,RC,RA)  
icacls "E:\foldername" /deny "test1":(OI)(CI)(W,D)

We have also tried to add the /inheritance key with 'e'/'r' options.

The 'Effective access' for the user looks like this, but when the user clicks on the folder, he is not able to read the contents itself even though read permissions are not modified.

View effective access

Please assist in resolving the issue.

forumresearcher007
  • 11
  • 1
  • 4

2 Answers2

0

According to my test, the following sequence of commands set a folder to read-only and execute by a user:

icacls "C:\Test" /reset /T
icacls "C:\Test" /grant "User":(OI)(CI)RX
icacls "C:\Test" /inheritance:r

This was executed in an administrator account that owned the folder "C:\Test" (CMD was not run as Administrator).

It might be that expressly adding a Deny condition is what caused the problem, by denying too much.

harrymc
  • 498,455
0

This answer (as informed by @user1686 in a comment to this question) worked in our case.

We were trying to deny the Write (W) permission which also apparently includes the 'Synchronize' (S) attribute, that is required for all Read operations. We tried to avoid this by specifying the individual attributes from the Write (W) to be denied as below:

icacls "E:\foldername" /deny "test1":(OI)(CI)(WD,AD,WEA,WA) /inheritance:r
forumresearcher007
  • 11
  • 1
  • 4