icacls, Network Service, and setting ACLs on Windows Server 2008

Setting ACLs on Windows Server 2008 via the command line is giving me some problems. As per http://web2.minasi.com/forum/topic.asp?TOPIC_ID=26907 I've tried all sorts of variations:

C:\Windows\system32>icacls "D:\Websites\site.com\Web\bin*" /grant 'NT A uthority\NETWORK SERVICE: (OI) (CI)M'

C:\Windows\system32>icacls "D:\Websites\site.com\Web\bin*" /grant "NETWORK SERVICE": (OI) (CI)M

And all variations in between. However, each try leads to i.e. "Invalid parameter "'NETWORK'"" depending on the variation above.

As per http://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx (see in comments), it appears that others have experienced the same issue where the same command works on Windows 7/Vista/etc., but not on Windows Server 2008.

What's the best way to apply permissions to Network Service account on a directory and/or files via the command line in Windows Server 2008? Especially as there's no way to do multiple file permissions at once via the GUI (see Windows Server 2008 - change security settings for multiple files at once).

Solution 1:

This line worked for me:

icacls testdir /grant "NT AUTHORITY\NetworkService":(OI)(M)

and

icacls testdir /grant "NT AUTHORITY\NetworkService":(CI)(M)

Update: And this too:

icacls testdir /grant "NT AUTHORITY\NetworkService":(OI)(CI)(M)

Solution 2:

You need to add OI and CI to effect the change to folder permission settings.

Example setting Modify permission to test folder for Network Service account:

icacls C:\Test /grant "NT AUTHORITY\NetworkService":(OI)(CI)(M)

Solution 3:

You can use the sid for network service like so:

icacls testdir /grant *S-1-5-20:(OI)(M)