Windows. Apply command line to modify NTFS permission

Source: Internet
Author: User
Tags builtin ntfs permissions

Command:Xcacls.exe

How to: Use xcacls.exe to modify NTFS permissions
Http://download.csdn.net/source/1216890

Allow access
Xcacls "instellation"/g everyone: F administrator: F/y
Xcacls "cammerman"/g everyone: F administrator: F/y
Xcacls "mxton"/g everyone: F administrator: F/y
Xcacls "techdocuments"/g everyone: F administrator: F/y
Xcacls "WMI. Test"/g everyone: F administrator: F/y
Xcacls "enterprise application solution"/g everyone: F administrator: F/y

Access prohibited
Xcacls "instellation"/e/D "linli"/y
Xcacls "instellation"/e/D "Administrator"/y
Xcacls "instellation"/e/D "everyone"/y
Xcacls "WMI. Test"/e/D "Administrator"/y
Xcacls "WMI. Test"/e/D "linli"/y
Xcacls "instellation"/e/D "everyone"/y
Xcacls "mxton"/e/D "system"/y
Xcacls "mxton"/e/D "Administrator"/y
Xcacls "mxton"/e/D "linli"/y
Xcacls "techdocuments"/e/D "system"/y
Xcacls "techdocuments"/e/D "Administrator"/y
Xcacls "techdocuments"/e/D "linli"/y
Xcacls "cammerman"/e/D "system"/y
Xcacls "cammerman"/e/D "Administrator"/y
Xcacls "cammerman"/e/D "linli"/y
Xcacls "enterprise application solution"/e/D "system"/y
Xcacls "enterprise application solution"/e/D "Administrator"/y
Xcacls "enterprise application solution"/e/D "linli"/y

Use xcacls.exe to modify NTFS permissions

Xcacls.exe syntax
Xcacls file name [/T] [/E] [/C] [/g User: perm; spec] [/r user] [/P User: perm; spec [...] [/d user [...] [/y]
The file name indicates the name of the file or folder that the ACL or access control entry (ACE) normally applies. All standard wildcards can be used.

/T recursively checks the current folder and all its subfolders, and applies the selected access permissions to matched files or folders.

/E edit the ACL without replacing it. For example, if you run the xcacls test. dat/g administrator: F command, only the Administrator has the permission to access the test. dat file. All the previously applied Ace will be lost.

/C causes xcacls.exe to continue execution when the "Access Denied" error message appears. If/C is not specified, xcacls.exe stops execution when this error occurs.

/G User: perm; spec grants users access to matching files or folders. ? The perm (permission) variable specifies the access permission to the file application, and represents the special file access permission mask of the folder. The perm variable accepts the following values :? R read
? C Change (write)
? F full control
? P change permissions (special access permissions)
? O ownership (special access permission)
? X execution (special access permission)
? E read (special access permission)
? W write (special access permission)
? D. Delete (special access permission)
 
? SPEC (special access permission) variables only apply to folders. In addition to accepting the same value as perm, they also accept the following special values :? T is not specified. Set the ace for the Directory itself, without specifying the ace applied to the new files created in the directory. There must be at least one access permission to be followed. Items Between semicolons (;) and T will be ignored. Note :? The object access permission options (for folders, special files, and folder access) are identical. For more information about these options, see the Windows 2000 operating system documentation.
? All other options (which can also be set in Windows Explorer) are a subset of all possible combinations of basic access permissions. Therefore, there are no special options for folder access permissions (such as list or read.
 
 
/R Users call all access permissions for specified users.

/P User: perm; spec replaces the user's access permissions. The rules of the specified perm and spec are the same as those of the/g option. See the example xcacls.exe in this document.

/D the user rejects access to files or directories.

/Y indicates that confirmation is prompted when the user access is replaced. By default, cacls requires confirmation. Because of this function, when cacls is used in a batch processing routine, the routine stops responding and waits for the correct answer to be entered. This validation can be eliminated after the/Y option is introduced, so that xcacls.exe can be used in batch mode.

 

Use xcacls.exe to view Permissions
Xcacls.exe can also be used to view files or folders. For example, type xcacls C:/winnt at the command prompt, and then press Enter. The following are typical results:
C:/winnt builtin/users: R
Builtin/users :( oi) (CI) (IO) (special access :)
Generic_read
Generic_execute

Builtin/Power Users: c
Builtin/Power Users :( oi) (CI) (IO) c
Builtin/administrators: F
Builtin/administrators :( oi) (CI) (IO) f
Nt authority/system: F
Nt authority/system :( oi) (CI) (IO) f
Builtin/administrators: F
Creator Owner :( oi) (CI) (IO) f

These ACL flag have the following meanings :? IO: inherit only-this flag indicates that this ace should not be used for the current object.
? CI: Container inheritance-this flag indicates that the slave container will inherit this ace.
? Oi: Object Inheritance-this flag indicates that the slave file will inherit the ace.
? NP: do not spread-this flag indicates that the slave object does not continue to spread the inherited ace.
The letter at the end of each row indicates the permission. Example :? F: full control
? C: Change
? W: Write

Xcacls.exe example
Example 1
Type xcacls * at the command prompt *. */g administrator: RW/y, and then press enter to replace the ACL of all files and folders in the current folder, without scanning the subfolders and confirming them.
Example 2
In this example, the ace added to the folder also inherits the Ace of the new file created in this folder. This command grants testuser the read, write, run, and delete permissions on all newly created files in this folder, but only the read and write permissions on the folder itself. Type xcacls *. */g testuser: rwed; RW/E in the command prompt, and then press Enter.
Example 3
The following example grants the folder read and write permissions instead of creating inheritance items for the new file. Therefore, in this example, the new file in this folder will not receive the Ace of testuser. For existing files, an ace with read permission will be created. Type xcacls *. */g testuser: R; RW/E in the command prompt, and then press Enter.

Instance 1: Permission to view files or folders

In the "Start> Run" dialog box or switch to the command prompt mode, note that: add/program files/resource kit to "System Properties → advanced → environment variables → system variables", or use CD
Command to set it to the current path, otherwise the system will prompt that the file cannot be found, and then type the following command:
Xcacls H:/temp
In this case, you can view the access control permissions of all user groups or users on the H:/Temp folder. Io indicates that this ace should not be used for the current object, and CI indicates that the slave window will inherit this ace, oi indicates that the slave file will inherit
Ace and NP indicate that the subordinate object does not continue to spread the inherited ace, while the letters at the end of each line indicate different levels of permissions. For example, F indicates full control, c Indicates Change, and W indicates write.

Example 2: replace the ACL in the folder without confirmation

Xcacls H:/temp/g administrator: RW/y

The preceding command replaces the ACLs of all files and folders in the H:/Temp folder without scanning the subfolders, and does not require user confirmation.

Example 3: grant a user permission to control folders

Xcacls H:/temp/g wzj9999: rwed; RW/E

The preceding command grants the user wzj9999 the permission to read, write, run, and delete all newly created files in the H:/Temp folder. However, it must be noted that, this command only grants the user the permission to read and write the folder itself,
This does not include files in subfolders. For common users, cals.exeand xcacls.exe may not be very effective, which is particularly useful in Unattended Installation of Windows 2000/XP/Server 2003,
The administrator can set the folder authorization permission for the operating system. When the software is sent to a server or site, the administrator can also use xcacls.exe to provide one-step protection to prevent users from accidentally deleting folders or files.

NTFS permission Principle
The principles for assigning NTFS permissions are as follows :? Use NTFS to control access to files and folders.
? Assign permissions to groups instead of individual users.
? NTFS file permissions take precedence over NTFS folder permissions.
? The Administrator and the owner control of files or folders can set permissions for this object.
? When changing folder permissions, you should understand the programs installed on the server. The program will create its own folder and open the "allow propagation of inherited permissions from parent to this object" setting. If you change the permissions in the parent folder, these changes may cause problems in the program.

Change the permissions of drive c d e to full control of the Administrators group and system group.

Create a BAT file
Echo

Xcacls.exe D: // G administrators: FRW/Y> right. Log
Xcacls.exe D: // E/g system: FRW/Y> right. Log

Xcacls.exe C: // G administrators: FRW/Y> right. Log
Xcacls.exe C: // E/g system: FRW/Y> right. Log

Xcacls.exe E: // G administrators: FRW/Y> right. Log
Xcacls.exe E: // E/g system: FRW/Y> right. Log

Pause

The xcacls.exe software is included in the 2000 kit.
Microsoft download http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp

Download and install xcacls, and copy xcacls.exe in C:/program files/resource Kitto the C:/Windows/system32 and C:/Windows/system32/dllcache directories respectively.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.