I had to set folder & file permissions (basically, take ownership and enable inheritance) for a bunch of Windows folders the other day. Thing is the folders had levels and levels of sub-folders so Windows Explorer kept failing when applying permissions. I tried to use
icacls via the command prompt but these too kept failing.
One workaround I had in mind was use
subst or make junctions but these didn’t work either. When I mapped part of the folder name to a drive letter using
subst the command line tools kept complaining that it wasn’t a file system that supported ACLs. Junctions didn’t do that well either. Mainly coz once you map part of a folder to a path/ drive letter, there’s no way to select the multiple sub-folders in there and assign permissions – when you select multiple folders, the security tab is missing.
Anyhoo, long story short, I came across this Server Fault thread from where I learnt the following –
In the Windows API, there is an infamous constant known as
MAX_PATH. MAX_PATH is 260 characters. The NTFS file system actually supports file paths of up to 32,767 characters. And you can still use 32,767 character long path names by accessing the Unicode (or “wide”) versions of the Windows API functions, and also by prefixing the path with
MAX_PATHwas set in stone a very long time ago in the Windows world. I think it has something to do with ANSI standards at the time… but it’s one of those things that’s very difficult for Microsoft to change now, as now we have thousands of programs and applications, including some written by Microsoft themselves, that use
MAX_PATHand would fail in strange new ways if the constant were suddenly changed. (Buffer overflows, heap corruption, etc.)
See this MSDN page too.
So what I needed was a tool that made use of the Unicode versions of the Windows API functions. A quick Google search bought me to SetACL – an amazing command-line tool that is able to set ACLs without the path limitations and that also has a nice syntax (I don’t know why, but
icacls and even PowerShell has such obscure syntax for setting file ACLs). Check out this example page to get started. In my case all I really needed to do was run a command like this to (1) enable permissions inheritance and (2) set the ownership, and the command would do it recursively for all the files and folders in that path. Amazing!
setacl -on "c:\path\to\folder" -ot file -actn setprot -op "dacl:np;sacl:np" -rec cont_obj -actn setowner -ownr "n:mydomain\administrators"
The only gotcha I encountered was that I got the following error message after a while with the above command:
SetACL error message: The call to SetNamedSecurityInfo () failed Operating system error message: Access is denied.
Thankfully a forum post from the SetACL forums sorted that out for me. Trick is to do the take ownership first, and then the permission inheritance – apparently doing both together causes the above error.
So I did this first:
setacl -on "c:\path\to\folder" -ot file -actn setowner -ownr "n:mydomain\administrators" -rec cont_obj
Followed by this:
setacl -on "c:\path\to\folder" -ot file -actn setprot -op "dacl:np;sacl:np" -rec cont_obj
SetACL is free but but command-line oriented. If you want a GUI version there’s SetACL Studio. That’s a paid product with a 30-day trial. I haven’t tried it yet. There is a SetACL t-shirt I might buy coz I was quite pleased with this tool yesterday. :)