The purpose of this article is to explain what the command we are asking 3rd party IT to run on their systems actually does and why. Some IT staff are unfamiliar with the icacls command, and it will make things a lot easier to work with tepid administrators if we are able to explain ourselves. icacls is a Windows command-line utility that IT admins can use to change access control lists on files and folders.
icacls "C:\programdata\microsoft\crypto\RSA\machinekeys" /t /grant everyone:(GR)
icacls displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories. In the above example, we run icacls to change permissions, “C:\programdata\microsoft\crypto\RSA\machinekeys” is the directory holding the keys we want to modify, The /t switch is to run the command recursively, meaning everything in the directory will be modified, /grant is used because we want to grant permission to the keys, and everyone:(GR) are the people we want to grant permission to: everyone on the local machine.
The reason we need to run this command has to do with the Dymo installer. In some environments, when the installer is run it the RSA key created to facilitate communication between mako.exchange and the Dymo Connect Web Service will be set to “private” for that admin’s account. After installation, the user session will appear to be working / printing OK because the Dymo Web Connect Service is still running as administrator. However, when the user logs back in again the web service will restart with the user’s permissions, making the RSA key inaccessible.
C:\programdata\microsoft\crypto\RSA\machinekeys is the default directory for public keys. However, in some enterprise environments that directory may be located somewhere else. The facility IT department is the only group that can get to the bottom of that.
icalcs Command Syntax
icacls <filename> [/grant[:r] <sid>:<perm>[...]] [/deny <sid>:<perm>[...]] [/remove[:g|:d]] <sid>[...]] [/t] [/c] [/l] [/q] [/setintegritylevel <Level>:<policy>[...]]
icacls <directory> [/substitute <sidold> <sidnew> [...]] [/restore <aclfile> [/c] [/l] [/q]]
icalcs Command Parameters
Parameter | Description |
---|---|
<filename> | Specifies the file for which to display or modify DACLs. |
<directory> | Specifies the directory for which to display or modify DACLs. |
/t | Performs the operation on all specified files in the current directory and its subdirectories. |
/c | Continues the operation despite any file errors. Error messages will still be displayed. |
/l | Performs the operation on a symbolic link instead of its destination. |
/q | Suppresses success messages. |
[/save <ACLfile> [/t] [/c] [/l] [/q]] | Stores DACLs for all matching files into an access control list (ACL) file for later use with /restore. |
[/setowner <username> [/t] [/c] [/l] [/q]] | Changes the owner of all matching files to the specified user. |
[/findsid <sid> [/t] [/c] [/l] [/q]] | Finds all matching files that contain a DACL explicitly mentioning the specified security identifier (SID). |
[/verify [/t] [/c] [/l] [/q]] | Finds all files with ACLs that are not canonical or have lengths inconsistent with access control entry (ACE) counts. |
[/reset [/t] [/c] [/l] [/q]] | Replaces ACLs with default inherited ACLs for all matching files. |
[/grant[:r] <sid>:<perm>[…]] | Grants specified user access rights. Permissions replace previously granted explicit permissions.Not adding the :r, means that permissions are added to any previously granted explicit permissions. |
[/deny <sid>:<perm>[…]] | Explicitly denies specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed. |
[/remove[:g | :d]] <sid>[…] [/t] [/c] [/l] [/q] | Removes all occurrences of the specified SID from the DACL. This command can also use: :g – Removes all occurrences of granted rights to the specified SID. :d – Removes all occurrences of denied rights to the specified SID. |
[/setintegritylevel [(CI)(OI)] <Level>:<Policy>[…]] | Explicitly adds an integrity ACE to all matching files. The level can be specified as: l – Low m – Medium h – High Inheritance options for the integrity ACE may precede the level and are applied only to directories. |
[/substitute <sidold><sidnew> […]] | Replaces an existing SID (sidold) with a new SID (sidnew). Requires using with the <directory> parameter. |
/restore <ACLfile> [/c] [/l] [/q] | Applies stored DACLs from <ACLfile> to files in the specified directory. Requires using with the <directory> parameter. |
/inheritancelevel: [e | d | r] | Sets the inheritance level, which can be: e – Enables inheritance. d – Disables inheritance and copies the ACEs. r – Disables inheritance and removes only inherited ACEs. |
Further Reading
PETRI – How to Use the Icacls Command to Manage File Permissions