 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Windows Server 2003 / Security / July 2007Adding multiple entries for the same user with xcacls...
Hello, Is there a way to add multiple entires for the same user using xcacls? I am open to other suggestions, but here is what I need to do... I need to give Domain Admins specific access to "Subfolders and Files". I also need to give Domain Admins specific access to "This Folder only" When I use xcacls, the last command just overwrites the first... I realize that /G replaces the existing settings, however I do not see any options to accomplish what I need. If there is another tool to accomplish this, I am open to other possibilities. cscript xcacls.vbs test /I COPY /SPEC A /G "Domain Admins":618423B cscript xcacls.vbs test /I COPY /SPEC E /G "Domain Admins":6184237AB Thank you in advance You appear to be overlooking the /e switch, which mean Edit the existing grants for the principal rather than replacing them > Hello, > Is there a way to add multiple entires for the same user using [quoted text clipped - 17 lines] > > Thank you in advance Roger, Thank you a million times. I briefly attempted the /E switch, but when I received a syntax error, I just assumed I was heading down the wrong path. What I failed to realize is that /E can be used with /G. You rock. Thank you again. > You appear to be overlooking the /e switch, which mean Edit the > existing grants for the principal rather than replacing them [quoted text clipped - 20 lines] >> >> Thank you in advance > Roger, > Thank you a million times. I briefly attempted the /E switch, but when > I received a syntax error, I just assumed I was heading down the wrong > path. been there , guessing of syntax > What I failed to realize is that /E can be used with /G. You rock. :) > Thank you again. To you too - :)  Signaturera > >> You appear to be overlooking the /e switch, which mean Edit the [quoted text clipped - 21 lines] >>> >>> Thank you in advance I think I am still missing something. Even running /E it still updates the existing entry instead of creating a new one (different /SPEC syntax for each) for the group that I am granting permissions to. Any ideas what I am misisng here? >> Roger, >> Thank you a million times. I briefly attempted the /E switch, but [quoted text clipped - 35 lines] >>>> >>>> Thank you in advance It you are using /g for Principal with the /e switch it should update the existing ACE/ACEs for Principal. If it can do this by modifying the existing ACE/ACEs without adding another, that would be expected. You are apparently saying ACE/ACEs before use of /g /e + intended grant via /g /e does not equal ACE/ACEs for Principal afterwards. ?? >I think I am still missing something. > [quoted text clipped - 41 lines] >>>>> >>>>> Thank you in advance I am trying to say "grant specific security for GoupA to Subfolders and files only" and "grant specific security for GroupA to This folder only". I guess this is just not possible with xcacls. I really appreciate your response and understand that my responses are teetering on the edge of annoying at this point. I can tell you with all honesty I have read the -? command a dozen times and you are the only one responding, so thank you once again. If you know of any way to ADD a user or group twice with different security, that would help me a tremendously. > It you are using /g for Principal with the /e switch it should > update the existing ACE/ACEs for Principal. If it can do [quoted text clipped - 51 lines] >>>>>> >>>>>> Thank you in advance Hi again Condiment, Thank you for your thanks, but your apollogetic approach is not needed. All I am saying is that I have not had the kind of problem you report, when using /e, and I have used it to grant multiple things to a principal. However, I am also saying that one does not always end up with what one expects, but with something equivalent. For an example, making a grant of read on this folder, and another of read/write on subfolders and files can be equivalently stated as a grant of read on this folder, subfolders and files, and another of write on subfolders and files. The apis used by xcacls seem to "optimize" according to some canonicalization rules I have never seem mentioned or documented if they exist as such; but one should end up with something functionally equal to what was there for the principal plus what was added with use of /e /g Roger >I am trying to say "grant specific security for GoupA to Subfolders and >files only" and "grant specific security for GroupA to This folder only". [quoted text clipped - 60 lines] >>>>>>> >>>>>>> Thank you in advance This post gave me a horrible case of tunnel vision. I was following documented procedures in an attempt to automate. After stepping back and asking why the procedures were documented this way, I realized what I am asking can be acomplished in another way. The shock of realizing what I am asking for is not supported made me question why I was attempting something in the first place. I now understand why. There is a specific access setting for "subfolders and files" regardless of the scope or "onto property" of the object, this accomplishes what I wanted. It still asks the question of how to add the same user or group twice with different scope or "on to" permissions, but at this moment, I think I have my resolution. Thank you again Roger. >I am trying to say "grant specific security for GoupA to Subfolders and >files only" and "grant specific security for GroupA to This folder only". [quoted text clipped - 60 lines] >>>>>>> >>>>>>> Thank you in advance |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2010 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.