Microsoft Windows Access Management Tools
You have seen how to modify object DACLs using the Security page in the Properties dialog box. Although the Properties dialog box is easy to use, it is not effective for managing DACLs for multiple objects. Making bulk DACL changes in the Properties dialog box is a time-consuming process. Suppose you add a new group and want to add group permissions to the DACLs for a large number of objects. How would you do that without opening each object’s Properties dialog box?
Fortunately, Microsoft provides several tools that make changing DACLs for a group of objects easy. Table 3-5 lists the main ACL management tools and their uses.
TABLE 3-5 Windows ACL Management Tools |
|
|---|---|
| TOOL | DESCRIPTION |
| Cacls.exe | Control Access Control List (CACLS) utility is a legacy command-line tool to display or modify ACLs for files or folders. Cacls.exe is still provided with current Windows versions. |
| Icacls.exe | Integrity Control Access Control List (ICACLS) utility is a command-line tool intended to replace and extend cacls.exe and another legacy tool, xcacls.exe. icacls.exe allows you to list, update, and back up file and folder ACLs. |
| Robocopy.exe | Robust File Copy (robocopy) is a command-line tool that copies files and folders with or without their associated ACLs. |
© Jones & Bartlett Learning. |
|
Cacls.exe
The Control Access Control List, cacls.exe, CLI tool was first introduced in Windows 2000. Although Windows now includes the icacls.exe tool as a newer, updated tool, Windows still includes the cacls.exe tool for those who are used to it and may have batch files that depend on it. The cacls.exe command allows users to list or modify the DACLs for one or more files or folders. A single file or folder can be specified, or wildcards can also be used for multiple files or folders. TABLE 3-6 shows a few cacls.exe examples and what each command accomplishes.
TABLE 3-6 Sample cacls.exe Commands |
|
|---|---|
| COMMAND | RESULT |
| cacls testfile.txt | Lists ACLs for the testfile.txt. The output shows one line for each user or group, along with the permissions assigned to each user/group. Permissions will be one of: N—None R—Read W—Write C—Change (write) F—Full |
| cacls testfile.txt /e /g fpurvis:f | Grants the user “fpurvis” full access to the file testfile.txt. |
| cacls testfile*.txt /e /g erpusers:r | Grants the members of the “erpusers” group full access to all files that match the pattern “testfile*.txt”. |
| cacls testfile.txt /e /r erpusers | Revokes access permission for members of the erpusers group to the file testfile.txt. |
| cacls C:appdocs est /e /t /c /g erpusers:c | Grants the change access permission to members of the erpusers group to all files and folders in the C:appdocs est folder and all subfolders. |
© Jones & Bartlett Learning. |
|
Icacls.exe
The Integrity Control Access Control List, icacls.exe CLI tool replaces both the cacls.exe and the xcacls.exe tools. The icacls.exe tool enables the listing, updating, and backup of ACLs for both files and folders. You can also find files that belong to a particular user, change the ownership of files and folders, and replace the permissions for one user with permissions of a different user. TABLE 3-7 shows a few icacls.exe examples and what each command accomplishes.
TABLE 3-7 Sample icacls.exe Commands |
|
|---|---|
| COMMAND | RESULT |
| icacls C:windows* /save AclFile /T | Saves the ACLs for all items in C:windows folder and its subfolders into a file named AclFile |
| icacls C:windows /restore AclFile | Restores the ACLs for every file within a file named AclFile to any relevant item that exists in C:windows folder and its subfolders |
| icacls file /grant Administrator:(D,WDAC) | Grants the user named “Administrator” the Delete and Write permissions to a file named file |
| icacls file /grant *S-1-1-0:(D,WDAC) | Grants the user or security group whose security identifier is S-1-1-0 the Delete and Write permissions to a file named file |
| icacls C:windowsexplorer.exe | Displays the access control list for a file named C:windowsexplorer.exe |
| icacls file /setintegritylevel H | Modifies the mandatory integrity level of an object named file to High |
© Jones & Bartlett Learning. |
|
Robocopy, or “Robust Copy,” is a CLI utility that has been available in the Windows Resource Kit for years. Far more than a simple file and folder copy utility, Robocopy provides the functionality to replicate objects and their ACLs in a volatile networked environment. Maintaining a solid access control policy requires keeping defined ACLs intact. Robocopy provides the ability to do just that. Robocopy incorporates many features, including:
Provides the ability to resume copying where it left off in the case of interruption, as in the case of network disruptions.
Preserves attributes, owner information, auditing information, and timestamp information by default.
Copies all ACLs with objects.
Copies a large number of files without having to invoke the tool multiple times.
Copies long file and folder names.
Allows multithreaded copying.
TABLE 3-8 shows a few robocopy.exe examples and what each command accomplishes.
TABLE 3-8 Sample robocopy.exe Commands |
|
|---|---|
| COMMAND | RESULT |
| robocopy C:source C: arget /E | Copies folder contents recursively (/E) all files in C:source to C: arget |
| robocopy C:source C: arget /COPYALL /E | Copies folder contents recursively (/E) all files in C:source to C: arget, including all ACL, owner, timestamp, and attribute information |
| robocopy C:source \backupserver arget /MIR /Z | Mirrors source to target, destroying any files in target that are not present in source (/MIR), copies files in restartable mode (/Z) in case network connection is lost |
| robocopy C:source C: arget testfile.txt | Copies the file testfile.txt from directory C:source to C: arget |
© Jones & Bartlett Learning. |
|