How to Use the command line to change the access control permissions of files and folders, so as to achieve the goal of the highest permission Control File

One worker uses the cacls.exe command

This is a command that can be used in Windows 2000/XP/Server 2003 operating systems to display or modify the file access control table, in the command, you can use wildcards to specify multiple files or multiple users in the command. The command syntax is as follows:

Cacls filename [/T] [/E] [/C] [/g usererm] [/r user [...] [/P usererm [...] [/d user [...]

Filename: displays the access control list (ACL)

/T: Change the ACL of the specified file in the current directory and all its subdirectories.

/E: edit the ACL without replacing it.

/C: continue when an access denial error occurs

/G userer: perm: grant the specified user access permission. Perm indicates different levels of access permission. The value can be R (read), w (write), C (change, write) and f (full control.

/R user: revokes the access permission of the specified user. Note that this parameter is only valid when used with "/E.

/P User: perm: Replace the access permission of the specified user. perm is the same as the previous one, but the "N (none)" option is added.

/D User: denies access from the specified user.

Instance 1: view the ACL of a folder

For example, to view the access control permissions of the H: \ Temp folder, you only need to enter the following command in the "Start> Run" dialog box or switch to the command prompt mode: cacls h: \ Temp

At this point, we will see all user groups and user access control permissions for the H: \ Temp folder. The CI here indicates that Ace will be inherited by the directory, and oi indicates that Ace will be inherited by the file, io indicates that ACI is not applicable to the current file or directory, and the letters at the end of each line indicate control permissions. For example, F indicates full control, c Indicates Change, and W indicates write.

If you want to view the access control permissions of all files in the folder (including files in subfolders), you can type the "cacls H: \ Temp." command.

Example 2: Modify the ACL of a folder

If you want to grant the local user wzj9999 full control over the access permissions of all files in the H: \ Temp folder and subfolders, you only need to enter the following command:

Cacls H: \ Temp/T/E/C/g wzj9999: F

"/T" indicates modifying the ACL of all files in the folder and subfolders, and "/E" indicates editing only without replacement, "/C" indicates to continue when an access denial error occurs, and "/g wzj9999: F" indicates to give the local user wzj9999 full control permissions, "F" indicates full control. If you only want to grant the read permission, it should be "R ".

Example 3: revoke the user's access control permission

If you want to revoke the access control permission of wzj9999 on the H: \ Temp folder and Its subfolders, you can enter the following command:

Cacls H: \ Temp/T/E/C/R wzj9999

To deny access, enter the following command:

Cacls H: \ Temp/T/E/C/D wzj9999

Xcals.exe

In the Windows resource package, Microsoft also released a file control permission modification tool named xcacls.exe, which is more powerful than cacls.exe. You can use the command line to set all file system security options that can be accessed in Windows Resource Manager.

The syntax of the xcacls.execommand is basically the same as that of cacls.exe, but the difference is that it performs this operation by displaying and modifying the access control list (ACL) of the file. After the "/g" parameter, in addition to retaining the original perm permission, the spec (special access permission) option is added, and the "/deny command is added, the program will stop responding and wait for the correct answer to be entered. After "/yundun" is introduced, this confirmation can be obtained. In this case, we can use the xcacls.exe command in batch processing.

Instance 1: Permission to view files or folders

In the "Start> Run" dialog box or switch to the command prompt mode, note that: \ Program Files \ resource kit is added to "System Properties → advanced → environment variables → system variables", or set it to the current path using the CD command, otherwise, the system will prompt that the file cannot be found, and then enter the following command:

Xcacls H: \ Temp

In this case, you can view the access control permissions of all user groups or users on the H: \ Temp folder. Io indicates that this ace should not be used for the current object, and CI indicates that the slave window will inherit this ace, oi indicates that the slave file inherits the ace, and NP indicates that the slave object does not continue to spread the inherited ace, and the letters at the end of each line indicate different levels of permissions. For example, F indicates full control, c Indicates Change, W indicates write.

Example 2: replace the ACL in the folder without confirmation

Xcacls H: \ Temp/g administrator: RW/y

The preceding command replaces the ACLs of all files and folders in the H: \ Temp folder without scanning the subfolders, and does not require user confirmation.

Example 3: grant a user permission to control folders

Xcacls H: \ Temp/g wzj9999: rwed; RW/E

The preceding command grants the user wzj9999 the permission to read, write, run, and delete all newly created files in the H: \ Temp folder. However, it must be noted that, this command only grants the user the read and write permissions on the folder itself, excluding the files in the subfolders.

For common users, cals.exeand xcacls.exe may not be very effective, which provides one-step protection in Windows 2000/XP/Server versions to prevent users from accidentally deleting folders or files.