How to grant the «Replicating Directory Changes» permission for the Microsoft Metadirectory Services ADMA service account

This article describes how to grant the «Replicating Directory Changes» permission for the Microsoft Metadirectory Services ADMA service account.

Original product version: В Windows Server 2012 R2
Original KB number: В 303972

Summary

When discovering objects in Active Directory using the Active Directory management agent (ADMA), the account that is specified for connecting to Active Directory must either have Domain Administrative permissions, belong to the Domain Administrators group, or be explicitly granted Replicating Directory Changes permissions for every domain of the forest that this management agent accesses. This article describes how to explicitly a grant a user account the Replicating Directory Changes permissions on a domain.

In Windows Server 2003, the name of this permission changed to «Replicate Directory Changes.»

More information

The Replicating Directory Changes permission, known as the Replicate Directory Changes permission in Windows Server 2003, is an Access Control Entry (ACE) on each domain naming context. You can assign this permission by using the ACL editor or the Adsiedit support tool in Windows 2000.

Setting permissions by using the ACL editor

1. Open the Active Directory Users and Computers snap-in
2. On the View menu, click Advanced Features.
3. Right-click the domain object, such as » company.com «, and then click Properties.
4. On the Security tab, if the desired user account is not listed, click Add; if the desired user account is listed, proceed to step 7.
5. In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
6. Click OK to return to the Properties dialog box.
7. Click the desired user account.
8. Click to select the Replicating Directory Changes check box from the list.
9. Click Apply, and then click OK.
10. Close the snap-in.

Setting permissions by using Adsiedit

Using Adsiedit incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Adsiedit can be solved. Use Adsiedit at your own risk.

1. Install the Windows 2000 Support tools if they have not already been installed.
2. Run Adsiedit.msc as an administrator of the domain. Expand the Domain Naming Context (Domain NC) node. This node contains an object that begins with «DC=» and reflects the correct domain name. Right-click this object, and then click Properties.
3. Click the Security tab.
4. If the desired user account is not listed, click Add, otherwise proceed to step 8.
5. In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
6. Click OK to return to the Properties dialog box.
7. Click Apply, and then click OK.
8. Select the desired user account
9. Click to select the Replicating Directory Changes check box.
10. Click Apply, and then click OK.
11. Close the snap-in.

Using either method, setting the Replicating Directory Changes permission for each domain within your forest enables the discovery of objects in the domain within the Active Directory forest. However, enabling discovery of the connected directory does not imply that other operations can be performed.

To create, modify, and delete objects within Active Directory using a non-administrative account, you may need to add additional permissions as appropriate. For example, for Microsoft Metadirectory Services (MMS) to create new user objects in an Organizational Unit (OU) or container, the account that is being used must be explicitly granted the Create All Child Objects permission, as the Replicating Directory Changes permission is not sufficient to allow the creation of objects.

In a similar fashion, the deletion of objects requires the Delete All Child Objects permission.

It is possible that there are limitations on other operations, such as attribute flow, depending on the specific security settings that are assigned to the object in question, and whether or not inheritance is a factor.

How permissions are handled when you copy and move files and folders

This article describes how Windows Explorer handles file and folder permissions in different situations.

Original product version: В Windows 10 — all editions, Windows Server 2012 R2
Original KB number: В 310316

Summary

In Microsoft Windows 2000, in Windows Server 2003, and in Windows XP, you have the option of using either the FAT32 file system or the NTFS file system. When you use NTFS, you can grant permissions to your folders and files to control access to those objects. When you copy or move a file or folder on an NTFS volume, how Windows Explorer handles the permissions on the object varies, depending on whether the object is copied or moved within the same NTFS volume or to a different volume.

More information

By default, an object inherits permissions from its parent object, either at the time of creation or when it is copied or moved to its parent folder. The only exception to this rule occurs when you move an object to a different folder on the same volume. In this case, the original permissions are retained.

Additionally, note the following rules:

The Everyone group is granted Allow Full Control permissions to the root of each NTFS drive.

Deny permissions always take precedence over Allow permissions.

Explicit permissions take precedence over inherited permissions.

If NTFS permissions conflict, for example, if group and user permissions are contradictory, the most liberal permissions take precedence.

Permissions are cumulative.

To preserve permissions when files and folders are copied or moved, use the Xcopy.exe utility with the /O or the /X switch.

The object’s original permissions will be added to inheritable permissions in the new location.

To add an object’s original permissions to inheritable permissions when you copy or move an object, use the Xcopy.exe utility with the -O and -X switches.

To preserve existing permissions without adding inheritable permissions from the parent folder, use the Robocopy.exe utility, which is available in the Windows 2000 Resource Kit.

You can modify how Windows Explorer handles permissions when objects are copied or moved to another NTFS volume. When you copy or move an object to another volume, the object inherits the permissions of its new folder. However, if you want to modify this behavior to preserve the original permissions, modify the registry as follows.

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

Click Start, click Run, type regedit in the Open box, and then press ENTER.

Locate and then click the registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer .

On the Edit menu, click Add Value, and then add the following registry value:

• Value name: ForceCopyAclwithFile
• Data type: DWORD
• Value data: 1

Exit Registry Editor.

You can modify how Windows Explorer handles permissions when objects are moved in the same NTFS volume. As mentioned, when an object is moved within the same volume, the object preserves its permissions by default. However, if you want to modify this behavior so that the object inherits the permissions from the parent folder, modify the registry as follows:

Click Start, click Run, type regedit, and then press ENTER.

Locate and then click the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer .

On the Edit menu, click Add Value, and then add the following registry value:

• Value name: MoveSecurityAttributes
• Data type: DWORD
• Value data: 0

Exit Registry Editor.

Make sure that the user account that is used to move the object has the Change Permissions permission set. If the permission is not set, grant the Change Permissions permission to the user account.

The MoveSecurityAttributes registry value only applies to Windows XP and to Windows Server 2003. The value does not affect Windows 2000.

Give permissions to files and folders in Windows 10

Original title: REad only

Windows 10 has set all my files and folders to read only. I am not able to turn this off. Is there a trick to this as right clicking and unchecking read only I get you need admin rights message and it doesn’t work. This is causing some games and programs I have to not work correctly.

Replies (24) 

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Thank you for posting in Microsoft Community. I understand your concern and I’ll be glad to assist you.

Please follow through.

In Windows Explorer, right-click the file or folder you want to work with.

From the pop-up menu, select Properties, and then in the Properties dialog box click the Security tab.

In the Name list box, select the user, contact, computer, or group whose permissions you want to view. If the permissions are dimmed, it means the permissions are inherited from a parent object.

Turn off UAC (User Account Control)

Before you can do anything, you must turn off the UAC, or you will be locked out of the following steps.

1) Start -> Settings -> Control Panel -> User Accounts
2) Click «Change User Account Control Settings»
3) Move slider all the way down to «Never Notify»
4) Reboot

2) Take Ownership

Yes take ownership. Even though you are logged on as an Administrator, you can’t change files that don’t belong to you. The Program Files folder is set to the Trusted Installer group and the Administrator doesn’t have the rights to change anything. So now we have to claim all the files and folders.

1) Open Windows Explorer
2) R-Click on Program Files -> Properties -> Security Tab
3) Click Advanced -> Owner
4) Click Edit
5) Select Administrators -> Put a checkmark in Replace owner on subcontainers & objects -> Apply
6) Wait a while.
7) When it finishes, Click OK on all boxes to close everything

3) Fix Permissions

Now that you own the files, you have to give yourself permission to modify them

1) R-Click on Program Files -> Properties -> Security Tab
2) Click Advanced -> Change Permission
3) Select Administrators (any entry) -> Edit
4) Change the Apply To drop down box to This Folder, Subfolder & Files
5) Put check in Full Control under Allow column -> OK -> Apply
6) Wait some more.
7) When it finishes, the dialog boxes may hide behind the Explorer window. Minimize it and click OK on all the the dialog boxes

Hope this post helps. Get back to us for further queries. We are happy to help.

How to grant permission to users for a directory using command line in Windows?

How can I grant permissions to a user on a directory (Read, Write, Modify) using the Windows command line?

17 Answers 17

As of Vista, cacls is deprecated. Here’s the first couple of help lines:

Читайте также:  Windows 1251 для php

You should use icacls instead. This is how you grant John full control over D:\test folder and all its subfolders:

According do MS documentation:

• F = Full Control
• CI = Container Inherit — This flag indicates that subordinate containers will inherit this ACE.
• OI = Object Inherit — This flag indicates that subordinate files will inherit the ACE.
• /T = Apply recursively to existing files and sub-folders. ( OI and CI only apply to new files and sub-folders). Credit: comment by @AlexSpence.

For complete documentation, you may run » icacls » with no arguments or see the Microsoft documentation here and here

You can also use ICACLS.

To grant the Users group Full Control to a folder:

To grant Modify permission to IIS users for C:\MyFolder (if you need your IIS has ability to R/W files into specific folder):

If you do ICACLS /? you will be able to see all available options.

Open a Command Prompt, then execute this command:

icacls «c:\somelocation\of\path» /q /c /t /grant Users:F

F gives Full Access.

/q /c /t applies the permissions to subfolders.

Note: Sometimes «Run as Administrator» will help.

Use cacls command. See information here.

/p : Set new permission

/e : Edit permission and kept old permission as it is i.e. edit ACL instead of replacing it.

C — Change (write)

F — Full control

For example grant Rocky Full (F) control with following command (type at Windows command prompt):

C:> CACLS files /e /p rocky:f

Read complete help by typing following command:

I try the below way and it work for me:
1. open cmd.exe
2. takeown /R /F *.*
3. icacls * /T /grant [username]:(D)
4. del *.* /S /Q

So that the files can become my own access and it assign to «Delete» and then I can delete the files and folders.

Corrupt Permissions: Regaining access to a folder and its sub-objects

Although most of the answers posted in reply to the question have some merit, IMHO none of them give a complete solution. The following (might be) a perfect solution for Windows 7 if you are locked-out of a folder by corrupted permission settings:

For Windows 10 the user/SID must be specified after the /remove:d option:

The command is applied to the specified directory.

Specifying the user «Everyone» sets the widest possible permission, as it includes every possible user.

The option «/remove:d» deletes any explicit DENY settings that may exist, as those override explicit ALLOW settings: a necessary preliminary to creating a new ALLOW setting. This is only a precaution, as there is often no DENY setting present, but better safe than sorry.

The option «/grant» creates a new ALLOW setting, an explicit permission that replaces («:r») any and all explicit ALLOW settings that may exist.

The «F» parameter (i.e. the permission created) makes this a grant of FULL control.

The «/T» parameter adds recursion, applying these changes to all current sub-objects in the specified directory (i.e. files and subfolders), as well as the folder itself.

The «(OI)» and «(CI)» parameters also add recursion, applying these changes to sub-objects created subsequently.
.

ADDENDUM (2019/02/10) —

The Windows 10 command line above was kindly suggested to me today, so here it is. I haven’t got Windows 10 to test it, but please try it out if you have (and then will you please post a comment below).

The change only concerns removing the DENY setting as a first step. There might well not be any DENY setting present, so that option might make no difference. My understanding is, on Windows 7, that you don’t need to specify a user after /remove:d but I might be wrong about that!

ADDENDUM (2019/11/21) —

User astark recommends replacing Everyone with the term *S-1-1-0 in order for the command to be language independent. I only have an English install of Windows, so I can’t test this proposal, but it seems reasonable.