cacls commands to set permissions on files and their folders _dos/bat

Source: Internet
Author: User
Tags inheritance

There are many on the internet to explain the CACLS permission settings, although it has been said relatively simple, but the novice is still looking at the confused, operability is not strong.
Here is an example to explain a few practical commands to one of us.

Do you not want someone to open a folder or file on your computer? Do you sometimes want to allow people to look at files and folders under a file, but do not want to let others change? Or do you want to keep an account on your computer from accessing a folder? If so, it can be implemented with the following command without the need for other cryptographic software.

Note the file or folder that you want to restrict access to must be an NTFS file system, not the FAT32 format. This may be one of the reasons why NTFS file system security is better than FAT32. [For example, look at the D-Disk file system, you need to open D disk, in the blank in the right click-Properties, you can see the inside]

If you are FAT32 instead of the NTFS file system, you can use this command to convert the disk to the NTFS file system [does not affect the file inside]:

Command line actions:

Start-run-cmd-return to open the command line interface

Input: Convert d:/fs:ntfs

And then enter, follow the prompts to operate it

[The above command means: convert indicates the meaning of the command transformation file system; D: means to convert D disk, other disks you can write accordingly, such as f:;/fs:ntfs indicates that the file system is converted to NTFS format. Note that this command can only convert FAT32 to NTFS format. Converting NTFS to FAT32 cannot be accomplished by simple commands, and requires special software. ]

If you want to let someone open the test folder under D disk, and your D disk is already an NTFS file system, you can skip the above operation directly into my following operation Oh!

Example one: Disable access to the D Disk Test folder for all users.
command: The command-line interface is open for more than that. Look up there.

cacls d:\test/t/P everyone:n

Indicates that the D Disk Test folder is set to all users without permission],n means no, no permissions. Other common permissions: R means read only; F means full control. /T means the same permissions are set on subfolders inside the folder. /P You don't care. But to write. Otherwise, it won't work well.
The following is: Turn on the D disk test prompts to prohibit access. Because the above is written by everyone all users. None of you can access it yourself. You only need to run the command when you want to access it:

cacls d:\test/t/P everyone:f

It's okay.
If your computer has a few accounts, and you want to keep the other accounts from accessing the folder, you can change the name of everyone to the corresponding account names, such as Edwin and so on (see your actual account name) when you write the order.
Set permissions directly with everyone in the user. It is not too cumbersome to run the command to cancel the limit when you open it. At a minimum, you can provide a chance to practice the command line more, and remember this command. Otherwise the time has long forgotten and must look for the material.

Example two: Let the user Edwin cannot open e:\test\apian.rmvb this movie. Of course, you can also limit the image, program, Word document open Oh.

Command:

cacls e:\test\apian.rmvb/p Edwin:n

Cancellation Restrictions:

cacls e:\test\apian.rmvb/p Edwin:f

Example three: Set the EXE file in the D-Disk green software folder to read-only [including subfolders]. This prevents the virus from infecting the EXE file.

Command:

D:
CD D:\ Green Software
cacls *.exe/t/P everyone:r
W pay attention to the above
"D:
CD d:\ Green Software "
These two lines of command indicate that the current directory is switched to D:\ Green software. Do not omit not to write Oh.

Example four: The e-packing directory set into a read-only to prevent virus infection e packing directory. Because many u disk viruses will infect the root directory, in the root directory of new students into a folder and files such as Autorun.inf, Setup.exe, A2de3d3.exe, Autorun.exe. Some malignant viruses are very powerful. You can't solve the virus problem by reloading the system. Because these viruses exist in the directory root of the system, when you simply format the C-Disk reload system, the first time you open the D disk and other non-system disk when the virus in the secondary infection C disk. You can prevent viruses from generating these files if you set the non-system packing directory to read-only. Of course, the root directory does not affect the deletion of files Oh. But it can affect you to create folders or copy files to the root directory. All suggestions begin to set up folders under the root directory. The file is placed inside the subfolder. Or, if you want to create a folder in the D-Packing directory, use the command line to cancel the root directory read-only. Although a bit of trouble, but the advantages of superfluous harm oh.

Command:
cacls e:\/P everyone:r

To unlock the root directory Read only:
cacls e:\/P everyone:f

Oh. It's clear enough. Try it.

Question: Since I can use the command to encrypt, is not someone else can use the command to decrypt?
Answer: Yes. You can run commands to set permissions as long as you have an account with administrator privileges. But not everyone knows it. Or there are few people who understand these things. Even when someone sees a stop-visit hint, they don't think about what's going on. All you can use in the direction.

Question: Use the attention points of these commands

Answer: 1, try not to set permissions on system files and folders. Because that could happen when the system is seriously wrong.
2, if you want to reload the system, then try to encrypt the decryption. It's not necessary to recover with ghost.
3, again stressed that the letter must be NTFS on the line Oh.

cacls parameter Description

CACLS filename [/T] [/e] [/C] [/g user:perm] [/R user [...]]]
[/P User:perm [...]] [/d User [...]]
FileName Displays ACLs.
/T Change the current directory and all of its subdirectories
Specifies the ACL for the file.
/e Edit ACLs without replacing them.
/C Continue when a denial of access error occurs.
/g User:perm gives the specified user access rights.
Perm can be: R read
W Write
C Change (write)
F Full Control
/r user revokes access to the specified user (only valid when used with/e)
/P User:perm replaces the access rights of the specified user.
Perm can be: N None
R Read
W Write
C Change (write)
F Full Control
/d user denies access to the specified user.
You can use wildcard characters to specify multiple files in a command.
You can also specify multiple users in the command.
CI-Container inheritance.
The ACE is inherited by the directory.
OI-Object inheritance.
Aces are inherited by files.
IO-only inherited.
ACE does not apply to current file/directory.

From the explanation of its system parameters, it is not difficult to see that to deny a user access to their specific directory or permissions is very simple to deal with, at least with cacls to deal with it.

Steps/Methods
1 Open "Start Menu" 2 Find "Run" and Open "Run Dialog" 3 enter "cmd" and Return to open "CMD" virtual DOS Environment 4 Example: cacls d:/test/p administrator:f 5 When prompted, press "Y" to confirm the operation. Note More than 6 the use of the method is entirely based on Microsoft's Windows (or virtual machine) 7cacls D:/P user name: N If the prompt is processed after carriage return, select Yes. That is, the user name is blocked access D disk, at this point to access will appear, Access denied error prompts. The aspect of unlocking the prohibitions is to use cacls D:/P user name: F for another super administrator to cancel the setting. Prompts the user to be cautious when manipulating the letter.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.