Setting Deny Permissions with ICACLS on "This Folder"

Question

ICACLS "{PATH}" /DENY "{AD Group}:(D)"

I want to deny the ability for {AD Group} to delete the parent folder but still have permissions to delete child folder and files. However, when I set the DENY Delete on the parent, it prevents Traverse Folder access to the folder.

I read that this is a synchronize error but if I set (D,S) I can traverse the folder but I can also delete it.

Currently ACL_FILE_IST is the only permission on the folder.

Has anyone seen a workaround?

ICACL COMMANDS

ICACLS "C:\TEMP\TestPermissions" /GRANT "ACL_FILE_IST:(OI)(CI)(M)"
ICACLS "C:\TEMP\TestPermissions" /DENY "ACL_FILE_IST:(D)"

ICACLS ACL

testpermissions

D:PAI(D;;0x110000;;;S-1-5-21-964777865-1556211951-2005962405-8309)(A;OICI;0x1301bf;;;S-1-5-21-964777865-1556211951-2005962405-8309)

score 2 · Answer 1 · answered Oct 22 '20 at 19:50

For anyone else who finds this 6.5 year old post, this is what fixed things for me - https://devblogs.microsoft.com/oldnewthing/20191118-00/?p=103110 - using OP's original command, you would use ICACLS "{PATH}" /DENY "{AD Group}:(DE)" - simply add DE instead of D, which as the article points out, has a bug or glitch in it where it removes synchronize as well as delete. Annoying, but an easy fix.

score 0 · Answer 2 · answered Apr 14 '14 at 20:52

0

Try and test > icacls "path" /deny ADgroup:(CI)D

answered Apr 14 '14 at 20:52

Ben Lavender

609

score 0 · Answer 3 · answered Apr 15 '14 at 21:28

0

I used the 3rd party tool SETACL to fix the issue. It appears to be working.

SETACL -ON "{PATH}" -OT FILE -ACTN ACE -ACE "N:{AD_GROUP};P:DELETE;I:NP;M:DENY"

answered Apr 15 '14 at 21:28

Ganske

21

Setting Deny Permissions with ICACLS on "This Folder"

3 Answers3

Linked