10

Background

Say I have this command

icacls C:\FullyAccessibleFolder /grant Users:(OI)(CI)F

This works fine in English versions of Windows, but does not seem to work in French versions, giving the following error, presumably due to Users being different in French. Everyone gets translated as Tout le monde in Windows, so that's not a solution either.

Users: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.

Which Google translates as

Users: The mapping between account names and security IDs was not performed.

Question

Is there a command I can use to set a folder and recursively all of its contents to have full permissions for all users in a way that would work across different language versions of Windows?

Content from around the web

This page with a largely similar problem talks about how Everyone becomes Jeder in German and Tout le monde in French.

Geesh_SO
  • 445
  • 1
  • 5
  • 17

3 Answers3

11

Does not work in French versions, presumably due to Users being different

You have three options, detailed below:

  1. Use the Use the Language Portal to get the translated name

  2. Retrieve the localised name from the Users SID

  3. Use the Users SID with icacls

Option 1: Use the Language Portal (canonical resource for Microsoft Terminology)

A search for Users returns:

Translations in Localized Microsoft Products

    English Translation         Product
    Users   Utilisateurs        Windows 7
    Users   des utilisateurs    Windows 7
    Users   Utilisateurs        Windows 8 Modern Voice
    Users   Utilisateurs        Windows 8
    Users   Utilisateurs        Windows 8.1
    USERS   UTILISATEURS        Windows 8.1
    Users   Utilisateurs        Windows 10
    Users   des utilisateurs    Windows 10
    Users   Utilisateurs        Windows 10 Anniversary Update
    users   utilisateurs        Windows 10 Anniversary Update

This suggests the following command may work:

icacls C:\FullyAccessibleFolder /grant Utilisateurs:(OI)(CI)F

Option 2: Retrieve the localised name from the Users SID (S-1-5-32-545)

SID: S-1-5-32-545

Name: Users

Description: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.

Source Well-known security identifiers in Windows operating systems

To retrieve the localised Users group name:

This simple script will give you actual name of 'Users' (S-1-5-32-545) group on a given PC:

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set objAccount = objWMIService.Get ("Win32_SID.SID='S-1-5-32-545'")
    Wscript.Echo objAccount.AccountName

Put it into a file with vbs extension (Let's assume usersName.vbs).

Now run: 

echo Y|for /f "delims=" %i in ('cscript -Nologo usersName.vbs') do cacls foldername /G "%i":F

Source Cacls, Windows 7, full permissions, local names by wmz

Option 3: Use the Users SID with icacls

Use the following command:

icacls C:\FullyAccessibleFolder /grant *S-1-5-32-545:(OI)(CI)F

Source comment by Harry Johnston

DavidPostill
  • 153,128
  • 77
  • 353
  • 394
  • `xcacls` appears to be a script you can download. There's no need; `icacls` is built into Windows and can do the same job. – Harry Johnston Feb 08 '17 at 22:40
  • @HarryJohnston Correct, but my answer is showing how to retrieve the localised version of `Users` ... I've clarified the answer as we don't need the `xacls` part of the quoted solution. – DavidPostill Feb 08 '17 at 22:49
  • @HarryJohnston I've also added using `icacls` directly with credit to you. – DavidPostill Feb 08 '17 at 22:54
  • I've accepted the answer from DavidPostill as it does it in a true command line way, which is great when using batch or PS scripts. In the end I actually created a little executable in C# which just takes a path and does exactly what I need to. It's not as customisable as the answers here, and it requires .NET Framework, but it does suit my particular purpose very well. If anyone is interested, here is the the basis of the C# code I ended up going with. http://stackoverflow.com/a/35461832/1639615 – Geesh_SO Feb 08 '17 at 17:02
7

You need to specify the AD-group not by its name, but by the SID number.
For standard groups like "EveryOne", "Domain Users", etc. there are standardized SID numbers, which can be found on the MSDN page Well-known security identifiers (SIDs).

The following are the most common relative identifiers.

enter image description here

The structure of a SID is describe as the following:

The components of a SID are easier to visualize when SIDs are converted from binary to string format by using standard notation:

S-R-X-Y1-Y2-Yn-1-Yn

    Component                   Definition

    S                         Indicates that the string is a SID
    R                         Revision level
    X                         Identifier authority value
    Y            A series of subauthority values, where n is the number of values

For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:

S-1-5-32-544

This SID has four components:

  • A revision level (1)

  • An identifier authority value (5, NT Authority)

  • A domain identifier (32, Builtin)

  • A relative identifier (544, Administrators)

How Security Identifiers Work

Ramhound
  • 41,734
  • 35
  • 103
  • 130
Tonny
  • 29,601
  • 7
  • 52
  • 84
  • It is worth pointing out that all users are part of the User group by default. So if you want to give "full access:to all user accounts, just use SID `S-1-5-32-544`, and then modify the ACL to give all permissions to the group for the file or folder in question – Ramhound Feb 08 '17 at 15:13
  • @Ramhound `544` is Administrators, `545` is Users. – DavidPostill Feb 08 '17 at 15:32
  • @DavidPostill - Yes; Copy and paste error. – Ramhound Feb 08 '17 at 15:34
  • @Ramhound Much better. It was the best I could do while being on a phone. Thank for the edit. – Tonny Feb 08 '17 at 17:08
4

If you like PowerShell scripts but have trouble remembering numbers for SIDs:

$acl = Get-Acl .\myfolder
$sid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::BuiltinUsersSid, $null)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($sid, 'FullControl', 'ObjectInherit,ContainerInherit', 'None', 'Allow')
$acl.AddAccessRule($rule)
Set-Acl .\myfolder $acl

I know that looks like a ton of typing, but these long identifiers are tab-completed:

  • System.Security.Principal.SecurityIdentifier from securityi
  • System.Security.Principal.WellKnownSidType from wellknownsi
  • System.Security.AccessControl.FileSystemAccessRule from filesystem

All these strings are .NET identifiers, so they don't get localized.

If you want the Everyone SID instead, use WorldSid in place of BuiltinUsersSid. To get the list of all WellKnownSidType options, see MSDN or run this command:

[System.Security.Principal.WellKnownSidType].DeclaredFields | select Name
Ben N
  • 40,045
  • 17
  • 140
  • 181
  • _FileSystemAccessRule_ without ***Sid*** and using `group names` ? – Kiquenet Jun 12 '18 at 21:00
  • @Kiquenet I'm not entirely sure what you're asking, but if you prefer to specify a human-readable group name, that will no longer be language-independent. If you're OK with that, you can remove the `$sid =` line and replace `$sid` in the `$rule =` line with a string identifying the group. – Ben N Jun 12 '18 at 21:09
  • This is exactly what I wanted to achieve in Powershell. I can confirm that this works independent of the system language and is unaffected by the localized name for `BUILTIN\Users` (`VORDEFINIERT\Users` on German systems for example). – urxter Aug 18 '21 at 11:33