I was finally able to get what I needed by using the script here:
http://www.serverwatch.com/tutorials/article.php/1476751
and tweaking the following sections:
Changed:
adsFOLDER_READ = FILE_LIST_DIRECTORY Or FILE_READ_EA Or
FILE_TRAVERSE Or _
FILE_READ_ATTRIBUTES Or READ_CONTROL Or
SYNCHRONIZE
To:
adsFolder_READ = FILE_READ_EA OR FILE_READ_ATTRIBUTES OR
FILE_LIST_DIRECTORY
Changed:
oACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE Or ADS_ACEFLAG_UNKNOWN
To:
oACE.AceFlags = ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE
Additionally, I commented out the loops in the RecurseACLs sub.
What a project this turned out to be.
-Jay
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Kevin Bilbee
Sent: Thursday, July 27, 2006 4:33 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] OT: ACL Manipulation Tool
Well that sucks.
Kevin
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jay
> Sudowski - Handy Networks LLC
> Sent: Thursday, July 27, 2006 12:39 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] OT: ACL Manipulation Tool
>
>
> Unfortunately, it seems like the WMI call they make in xcacls.vbs
still
> ends up enumerating all of the files on the drive ... I'll check
> filemon and see the wmi process just hitting all of the files, even
> though it's not changing any permissions on those files. Highly
> inefficient, but typical MS I suppose :(
>
> Thanks though.
>
> -Jay
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Kevin Bilbee
> Sent: Thursday, July 27, 2006 3:28 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] OT: ACL Manipulation Tool
>
> Looking at the code for Xcalcs it should work for you. If you are
using
> inheritance and do not want it to iterate all the files then you
cannot
> use the /T, /F, of /S options. If you use one of these do it will
> iterate all files on the drive.
>
>
> Kevin Bilbee
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Jay
> > Sudowski - Handy Networks LLC
> > Sent: Thursday, July 27, 2006 9:35 AM
> > To: Declude.JunkMail@declude.com
> > Subject: [Declude.JunkMail] OT: ACL Manipulation Tool
> >
> > I am seeking out an ACL manipulation tool that will let me set the
> > "Read Attributes" permission on the root of a drive (no
inheritance),
> > that does not automatically apply the permission to
sub-files/folders
> > and also does not 'touch' every file on the server. I have tried
the
> > following tools, but ran into the issues noted:
> >
> > Cacls - Does not support "Read Attributes" permission. Does not
> allow
> > inheritance to be specified. However, cacls only modifies ACLs on
> the
> > specified root drive and nothing more, so performance is very quick.
> >
> > Xcacls.vbs - Supports "Read Attributes" permission, and allows for
> > proper control over inheritance. However, when setting the
> permission,
> > this tool enumerates every single file on the drive, making the
> process
> > extremely slow.
> >
> > Setacl.exe - Supports "read attributes" permission, and allows for
> > proper control over inheritance. Unfortunately, it doesn't seem to
> set
> > permissions properly on the root of a drive.
> >
> > FileACL.exe - Supports "read attributes" permission, and allows for
> > proper control over inheritance. However, when setting the
> permission,
> > this tool enumerates every single file on the drive, making the
> process
> > extremely slow.
> >
> > Xcacls.exe - Does not support "read attributes" permission, and
seems
> > to insert ACE entries in a non-supported manner on Windows 2003
> > servers.
> >
> > Dacl.vbs - Does not support "read attributes" permission.
> >
> > Is anyone aware of any other tools available?
> >
> > Thanks!
> > -----
> > Jay Sudowski // Handy Networks LLC
> > Director of Technical Operations
> > Providing Shared, Reseller, Semi Managed and Fully Managed Windows
> 2003
> > Hosting Solutions
> > Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> > "unsubscribe Declude.JunkMail". The archives can be found at
> > http://www.mail-archive.com.
> >
>
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> "unsubscribe Declude.JunkMail". The archives can be found at
> http://www.mail-archive.com.
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> "unsubscribe Declude.JunkMail". The archives can be found at
> http://www.mail-archive.com.
>
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
