Scripting ACL changes

2017-12-08T17:10:06+00:00 October 12th, 2009|Azure, Cloud, Windows|

A follow up to Certificate Strangeness – if you found that useful, you’ll probably be looking at making some changes to fix whatever issues you were having.

While it is theoretically possible to script ACL changes in Powershell and VBS, there’s no point in re-inventing the wheel when there are perfectly good command line tools available. Most of us are aware of CACLS, which has been around for donkeys years, but you may not be aware  its use is now deprecated, as it can incorrectly order the ACE’s on the ACL.

Ideally, you would use ICACLS.exe, as this is the utility currently shipped and supported by MS. However, there are 2 versions – Vista and upwards, and 2003 downwards. The Vista version will remove the inheritance flag from an ACL, but the 2003 version will not. Also, if the user is the owner of a file, the Vista version will successfully write an ACE onto an empty ACL, whereas the 2003 version will not. Of course, if you are fixing ACL’s on the MachineKeys folder and its files, these are the very 2 actions you need to accomplish. If we could just copy the exe across and use the Vista version on an XP system, everything would be gravy, but life is never that simple – it just errors out.

The solution? Let somebody else write the script 🙂

xcacls.vbs is available for download from the MS website, and successfully achieves both the actions outlined above on an XP system – be aware that its use is NOT supported by MS, but be that as it may, if its the only tool available on XP and 2003 ….