How to Set access permissions for folders in Windows Server

Scenario: There are two users in the system: 1) Administrator, 2) usera

Now you need to set the folder access permission on the hard disk. usera can only access the specified folder. What should I do?

Use the Windows native command: xcacls.

Certificate ---------------------------------------------------------------------------------------------------------------------------------------------------

Xcacls.exe syntax
Xcacls file name [/T] [/E] [/C] [/g User: perm; spec] [/r user] [/P User: perm; spec [...] [/d user [...] [/y]
The file name indicates the name of the file or folder that the ACL or access control entry (ACE) normally applies. All standard wildcards can be used.

/T recursively checks the current folder and all its subfolders, and applies the selected access permissions to matched files or folders.

/E edit the ACL without replacing it. For example, if you run the xcacls test. dat/g administrator: F command, only the Administrator has the permission to access the test. dat file. All the previously applied Ace will be lost.

/C causes xcacls.exe to continue execution when the "Access Denied" error message appears. If/C is not specified, xcacls.exe stops execution when this error occurs.

/G User: perm; spec grants users access to matching files or folders.
The perm (permission) variable specifies the access permission to the file application, and represents the special file access permission mask of the folder. The perm variable accepts the following values:
R read
C Change (write)
F full control
P change permissions (special access permissions)
O ownership (special access permission)
X execution (special access permission)
E read (special access permission)
W write (special access permission)
D. Delete (special access permission)
SPEC (special access permission) variables apply only to folders. In addition to accepting the same value as perm, they also accept the following special values:
T is not specified. Set the ace for the Directory itself, without specifying the ace applied to the new files created in the directory. There must be at least one access permission to be followed. Items Between semicolons (;) and T will be ignored. Note:
The object access permission options (for folders, special files, and folder access) are identical. For more information about these options, see the Windows 2000 operating system documentation.
All other options (which can also be set in Windows Explorer) are a subset of all possible combinations of basic access permissions. Therefore, there are no special options for folder access permissions (such as list or read.
/R Users call all access permissions for specified users.

/P User: perm; spec replaces the user's access permissions. The rules of the specified perm and spec are the same as those of the/g option. See the example xcacls.exe in this document.

/D the user rejects access to files or directories.

/Y indicates that confirmation is prompted when the user access is replaced. By default, cacls requires confirmation. Because of this function, when cacls is used in a batch processing routine, the routine stops responding and waits for the correct answer to be entered. This validation can be eliminated after the/Y option is introduced, so that xcacls.exe can be used in batch mode.

Use xcacls.exe to view Permissions
Xcacls.exe can also be used to view files or folders. For example, type xcacls c: \ WINNT at the command prompt, and then press Enter. The following are typical results:
C: \ WINNT builtin \ Users: R
Builtin \ Users :( oi) (CI) (IO) (special access :)
Generic_read
Generic_execute

Builtin \ Power Users: c
Builtin \ Power Users :( oi) (CI) (IO) c
Builtin \ administrators: F
Builtin \ administrators :( oi) (CI) (IO) f
Nt authority \ System: F
Nt authority \ System :( oi) (CI) (IO) f
Builtin \ administrators: F
Creator Owner :( oi) (CI) (IO) f

These ACL flags have the following meanings:
IO: inherit only-this flag indicates that this ace should not be used for the current object.
CI: Container inheritance-this flag indicates that the slave container will inherit this ace.
Oi: Object Inheritance-this flag indicates that the slave file will inherit the ace.
NP: do not spread-this flag indicates that the slave object does not continue to spread the inherited ace.
The letter at the end of each row indicates the permission. For example:
F: full control
C: Change
W: Write
Xcacls.exe example
Example 1
Type xcacls * at the command prompt *. */g administrator: RW/y, and then press enter to replace the ACL of all files and folders in the current folder, without scanning the subfolders and confirming them.
Example 2
In this example, the ace added to the folder also inherits the Ace of the new file created in this folder. This command grants testuser the read, write, run, and delete permissions on all newly created files in this folder, but only the read and write permissions on the folder itself. Type xcacls *. */g testuser: rwed; RW/E in the command prompt, and then press Enter.
Example 3
The following example grants the folder read and write permissions instead of creating inheritance items for the new file. Therefore, in this example, the new file in this folder will not receive the Ace of testuser. For existing files, an ace with read permission will be created. Type xcacls *. */g testuser: R; RW/E in the command prompt, and then press Enter.

NTFS permission Principle
The principles for assigning NTFS permissions are as follows:
Use NTFS to control access to files and folders.
Assign permissions to groups instead of individual users.
NTFS file permissions take precedence over NTFS folder permissions.
The Administrator and the owner control of files or folders can set permissions for this object.
When changing folder permissions, you should understand the programs installed on the server. The program will create its own folder and open the "allow propagation of inherited permissions from parent to this object" setting. If you change the permissions in the parent folder, these changes may cause problems in the program.

Warning remember that many files and folders receive permissions by inheriting them. Therefore, when you think you have changed only one folder, you may have changed more content.

Else ---------------------------------------------------------------------------------------------------------------------------------

Http://support.microsoft.com/kb/318754/zh-cn

Http://msdn.microsoft.com/zh-cn/magazine/cc982153.aspx