XP Home is not designed for users to be mucking around with ACLs. But you found that out already.
CACLS is definitely not the preferred choice for changing ACLs via the command line. The preferred choice is FILEACL (google it, it's not from Micrsoft). And FILEACL is more complex than CACLS/XCACLS. I suggest you boot into safe mode. Then you should be able to work on inherited rights with the GUI interface. (Disclaimer - When I say "should" it means I believe it to be true. When I say "will" it means I have tested it and know it to be true.) -----Original Message----- From: Windows Home/SOHO [mailto:[EMAIL PROTECTED] On Behalf Of Bernie Cosell Sent: Thursday, January 12, 2006 3:44 PM To: [email protected] Subject: The dangers of messing with ACLs I've been fiddling with my XP/Home system to see if i can do some/all of the security hacks with it that I have done on my to XP/Pro systems. I've been using the CACLS command and it seems to do OK [and is a LOT less hassle than booting to SAFE mode]. I tried playing with "dropmyrights" and it didn't do much: a tiny bit of investigation revealed that my laptop was set up with c: having an ACL of "Everybody:F" and so even with dropped rights I could mess with C:\. Not good. So I did what I thought would be simple: cacls of everything on c:\ to "Everybody:R". BAD idea. Problem is that I have too many old Unix reflexes [and Unix has a truly *AWFUL* protection/security] and so Administrators are actually subject to the same ACL rules as mere mortals [who'd'a'thunk it! - on Unix, administrators [=root] have no such restrictions]. So what I discovered is that I could hardly do anything even from my admin account [indeed, even from my administrator account in SAFE mode]!! And it was hard to fix: with everybody:R set, the ONLY account that can change ACLs for an object is the *OWNER* of the object. So I needed to go through all of c: and change what I could [as admin/administrator/both of the two user accts -- amusingly, with Everybody:R even admin can't mess with files on my limited account!]. Some of the files were owned by a strange internal-system owner [something with {}'s] -- I think that was stuff that Compaq pre-loaded onto the system. For those, I had to, one by one, change the owner to administrator and THEN I could put the protections back. So the conclusion of this odd morality tale is that before I try this again, I need to remember to do a cacls /P Administrators:F *before* I once-again change the everybody entry to R. SIGH!!! This little escapade has raised a questions: 1) how can I create a new group in XP/Home. It won't allow the mmc snapin for local group management... is there some command-line thing I can do to create a new group? 2) How can I undo the 'inherit from your parent'. Someone mentioned that it was on the 'advanced' tab in the permissions. I'd be happy to do it via cacls, but I don't really understand how the CI/OI/IO setting work. THANKS!! /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:[EMAIL PROTECTED] Pearisburg, VA --> Too many people, too few sheep <-- -- ---------------------------------------- WIN-HOME Archives: http://PEACH.EASE.LSOFT.COM/archives/WIN-HOME.html Contact the List Owner about anything: [EMAIL PROTECTED] Official Win-Home List Members Profiles Page http://www.besteffort.com/winhome/Profiles.html -- ---------------------------------------- WIN-HOME Archives: http://PEACH.EASE.LSOFT.COM/archives/WIN-HOME.html Contact the List Owner about anything: [EMAIL PROTECTED] Official Win-Home List Members Profiles Page http://www.besteffort.com/winhome/Profiles.html
