icacls C:\TEMP\A /deny administrators:(OI)(CI)(DE,DC,WD,AD) /T
If we want to "unlock" C:\TEMP\A directory. Use the following command
icacls C:\TEMP\A /remove:d administrators /T
It will be much useful if we add these two command as context menu items and simply use mouse right click to select one command on selected folder.
LockFolder.reg
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\Directory\shell\lockfolder] @="Lock Folder" [HKEY_CLASSES_ROOT\Directory\shell\lockfolder\command] @="icacls %1 /deny administrators:(OI)(CI)(DE,DC,WD,AD) /T"
UnlockFolder.reg
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\Directory\shell\unlockfolder] @="Unlock Folder" [HKEY_CLASSES_ROOT\Directory\shell\unlockfolder\command] @="icacls %1 /remove:d administrators /T"
Download the two reg files on Github
Add these two reg. and than we have two addition items on context menu.
1. Click on A folder and right click to select Lock Folder.
2. Open command prompt and try to delete file or folder.
3.Use icacls to check file and folder's DACLs.
4. The red block is what Lock Folder added.
5. Unlock Folder.
6. Check file DACLs again.
7. Delete files and folder. This time we can successfully delete them.
In case you want to know what exactly these command means.
LockFolder:
icacls %1 /deny administrators:(OI)(CI)(DE,DC,WD,AD) /T
/deny: Explicitly denies administrators access rights (OI): object inherit (CI): container inherit DE: delete DC: delete child WD: write data/add file AD: append data/add subdirectory /T: all specified files in the current directory and its subdirectories.
Unlock Folder:
icacls %1 /remove:d administrators /T
/remove:d removes all occurrences of denied rights to administrators /T: all specified files in the current directory and its subdirectories.
Note:
We use "administrators " as the SID. If you want to use other ID, you need to modify the reg files, replace "administrators" and check if it working correctly.
沒有留言:
張貼留言