(Windows Server 2003) CACLS.EXE usage

1.4k views Asked by At

I have a path with the following privileges:

E:\MY_PATH                  BUILTIN\Administrators:(OI)(CI)F
                            NT AUTHORITY\SYSTEM:(OI)(CI)F
                            BUILTIN\Administrators:F
                            CREATOR OWNER:(OI)(CI)(IO)F
                            BUILTIN\Users:(OI)(CI)R
                            BUILTIN\Users:(CI)(special access:)
                                              FILE_APPEND_DATA

                            BUILTIN\Users:(CI)(special access:)
                                              FILE_WRITE_DATA

In this path there is a text file that I can't modify or remove: I can only append rows.

I would like to know how can I grant Write to this file for a while, and then return to the original settings.

It is a log file and it is becoming too big, so I would like to leave out the older rows keeping only the more recent 1000 rows.

But I have not privileges to remove lines or to delete the file.

Please help.

Thank you in advance.

I have just read CACLS /? but I did not understand how to use this command.

1

There are 1 answers

0
Werner Henze On BEST ANSWER

I am not quite sure how you want to solve the problem.
Why don't you just give the user the right to always modify the log? If the admin is required to change the ACL, then why doesn't he edit the logfile? Can the log be edited while the logging service/app is running?

So much questions, now to my answers. I'ld use icacls, not cacls.

To grant the right:
icacls logfilename /grant *S-1-5-32-545:(WD)

To remove the right (this only works if the granted ACL entry is the only one for that user on that file!):
icacls logfilename /remove *S-1-5-32-545

I am using the SIDs and not the names in the calls above because the SIDs are independent of the OS language and work the same on your English Windows and my German Windows.

If you want a save-restore logic, you can save the file's ACL calling
icacls logfilename /save aclsavefile
and restore the ACL using
icacls . /restore aclsavefile

As you can see, saving requires the filename and restoring requires the folder name (the filename is stored in aclsavefile and taken from there). Take care: on Windows 7 restoring the ACL requires (backup?) privilege and can only be done when ran as administrator.