Managing File Security

mkdir c:\doc

icacls c:\doc /setowner test

Simple Rights

F - full access
M - modify access
RX - read and execute access
R - read-only access
W - write-only access

icacls c:\doc /grant test:F

icacls c:\doc /remove test

specific rights--comma separated in the parenthesis

icacls c:\doc /inheritance:d

icacls c:\doc /remove "builtin\users"

icacls c:\doc /remove "NT Authority\Authenticated Users"

icacls c:\doc /grant chris:(D,RD,WD,WDAC)

runas /user:chris cmd

To get into the folder, you must grant Chris the X permission--execute/traverse

Administrator Window:

icacls c:\doc /grant chris:(D,X,RD,WD,WDAC)

Chris Window:

c:\doc>mkdir folder1
Access is denied.

AD - append data/add subdirectory

Administrator Window:

icacls c:\doc /grant chris:(D,X,AD,RD,WD,WDAC)

Chris Window:

c:\doc>mkdir folder1

Creator Owner --common folder

mkdir c:\comFolder

icacls c:\comFolder /inheritance:d

icacls c:\comFolder /remove "BUILTIN\Users"

icacls c:\comFolder /remove "NT Authority\Authenticated Users"

icacls c:\comfolder /grant "Builtin\users":(RX,AD)

icacls c:\comfolder /grant "Creator Owner":(OI)(CI)(IO)(F)

runas /user:chris cmd

net user john password /add

net user sam password /add

net user tim password /add

net localgroup finance /add

net localgroup "users" chris /delete

net localgroup "finance" john /add

net localgroup "finance" chris /add

net localgroup "production" chris /add

net localgroup "production" sam /add

Encrypting File System

c:\comfolder>cipher /e chris

backup the EFS certificate to ChrisCertificateForEFS.pfx

Kaiming has the full control permissions on c:\comFolder\Chris folder. When he creates a file inside it, the self-signed certificate for Kaiming is created and encrypted the file.

Backup the EFS certificate to KaimingCertificateForEFS.pfx

To allow Chris to access this file, you must add his certificate to the list.

You cannot share the encrypted folder.

EFS only affects files that are accessed on the local computer. When you share files across network, Windows will automatically decrypt files before sharing them. You don't need to add the network users' certificates to the attribute of the file.

EFS by domain GPO

When "Google Quick Search Box" is running, you cannot encrypt the user's documents folder. The "Encrypt the contents of the user's Documents folder" doesn't work.