Click here for important information about

using icalcs to set multiple folders permission

Microsoft Office professional 2010 softw...
August 21, 2013 at 07:58:29
Specs: Windows 2008, 4G

Trying to using icalc to set multiple folder security permission since Windows 2008 server have removed this option tab.

I have made some folders called eg. d:\users\child\1b\dave, fred etc. and set permission on child folder for domain users for "read only"

Trying to add "domain users" full permission with deny delete on "this folder only" for dave, fred, etc and add "domain users" full control for subfolder and file for dave, fred etc.

End results is domain users can't delete dave, fred folder etc but inside these folders they can do anything they like (full control)

how to achieve this using icalcs?

I tried something like: icacls "D:\users\child\1b\*" /grant "domain users":F /T ? but I think this only set full permission to all folders inside 1b which the user can delete dave, fred folders.etc

Please help, thanks

message edited by kiwi_hk

See More: using icalcs to set multiple folders permission

August 21, 2013 at 18:14:17
It doesn't make sense to allow full control (read, write, edit) without being able to delete. This is not possible as far as I am aware. You may want to allow for full control (since you don't care if users can see each others data) and then utilize shadow copy (in case something gets deleted) to restore files if needed ( )

Also, you can enable auditing on those directories to track who deleted files (from management perspective).

Syntax wise, you'll be looking at something like this: icacls D:\users\child\1b\ /t "Domain Admins":F

You may also want to set the (OI)(CI) (object/container inheritance) as well to apply ACE's

Report •

August 21, 2013 at 19:34:44
What you mean?

The teacher have a mapped drive called U: of the 1b, 1c, 1d, where all the children's folders are inside them (1b\fred, 1b\dave ... their names are their mapped documents called H:

I just want the teacher's group added in to 1b, 1c, 1d's children's folders eg: dave , fred where they can have full control of the subfolder and files inside dave, fred etc,.but can't delete the 1b\fred, 1b\dave... folders. because if they did then all their docs and H drive will be gone.

Report •

August 22, 2013 at 05:43:38
"Where they can have full control of the subfolder, but can't delete".. You can't have full control with deny delete, how can you tell the share to allow read/write/special permissions access but then not delete (write) to the share? You will have to give explicit permissions to deny delete, R & Execute status on the H drive, and the U: drive would be utilized for files that need modification.

Or like suggested above, provide full control. turn on auditing and shadow copy. That way you know when something is deleted and by who, and can restore it.

Report •

Related Solutions

August 22, 2013 at 06:02:11
But I have done it with GUI using windows 2003 server since it has the tab and I can select all folders and use advance settings.

Windows 2008 server removed the multiple folders permission tab.

I got these folders in d:\1b\dave\, d:\1b\fred\

1b, dave and fred folders (staff group users ) can't delete those folders, but staff group have full control inside dave and fred folder, so they can create files and subfolders within them and delete if they want.

How can I do this with icalcs?

I don't want to audit it since it is better to prevent users deleting than finding out who deleted it or moved it and then fix it. We have over 700 folders.

Report •

August 22, 2013 at 06:38:48
You can't use Full Control and limit delete. It also allows users to take ownership, change permissions, and delete.

Utilizing icacls, you can set everyone to Modify. That should allow for everything (read,write,execute) except delete of subfolders & files, taking ownership & modifying permissions.

icacls D:\users\child\1b\ /t "Domain Admins":(OI)(CI)M

Report •

August 22, 2013 at 07:37:48
So you are saying I can't deny delete to this folder "fred" and "andrew" but anything inside fred like sub-folders and files have full control?

Report •

August 22, 2013 at 07:55:24
How permissions work:

Scroll down to the "Special permissions" chart, where you will see "Full Control", "Modify", "Read & Execute", etc.

I am saying remove full control, and set permissions to modify.

Report •

August 22, 2013 at 16:18:25
But modify won't let me delete the subfolders inside Dave and Fred. We need groups to be able to do that but not delete the entire Dave folder.

I tried icalcs saving the settings and had a look but the saved files don't reassemble any command line parameters.

Have you tried the settings from my first post on your system, does it do what I wanted?

message edited by kiwi_hk

Report •

August 23, 2013 at 09:27:43
So then why not set the 1x folders to modify (so their contents subfolders n files can't be deleted, which is fred, dave, etc.), and the dave/fred folders to full control with no inheritance?

I dont see the point, even if I didn't delete the "Dave" folder, I can still drill into the folder and wipe it clean..which would leave dave with an empty folder..

icacls D:\users\child\ /t "Domain Admins":M
icacls D:\users\child\1b\ /t "Domain Admins":F

I have not replicated the setup.

Report •

August 23, 2013 at 10:21:37

Reason is teachers have access to 1b folder and some of them from the past have moved the entire 1B folder over to another class or move the dave folder or delete these folders, if they did then the children will not have their doc. It just stops them from doing that. The teachers still wants to go into dave's folders to check their documents and update it and may even delete duplicate files. Hope that makes sense.

Report •

August 26, 2013 at 07:56:40
It didn't work, I can delete all folders.

Report •

Ask Question