Modify file access control rights under Windows command line

With the popularity of Windows Xp/server 2003, more and more users are beginning to choose the NTFS file system, the benefits of NTFS is naturally greatly enhanced the security of the system, under the "Security" tab, we can set the appropriate access control for different levels of users, including full control, modify, read and run, List folder directory, read, write, special permissions, etc., you only need to "allow" and "refuse" simply tick, click the "Advanced" button can also set more special permissions, here will not say more.

In fact, in addition to the graphical user interface for file or folder access control permissions to set up, we can also do this in the command-line mode, which is not in the graphical user interface for some reason to be particularly useful, although the use of some trouble, but can be an emergency.

First, the use of cacls. EXE command

This is a command that can be used under the Windows 2000/xp/server 2003 operating system to display or modify access control tables for files, to specify multiple files using wildcards in commands, or to specify multiple users in a command. The command syntax is as follows:

CACLS filename [/T] [/e] [/C] [/g usererm] [/R user [...]]] [/P Usererm [...]] [/d User [...]]

Filename: Access Control list is displayed (ACL, hereafter)

/T: Change ACLs for specified files in the current directory and all subdirectories

/e: Edit ACLs without replacing

/C: Continue when a denial of access error occurs

/g userer:perm: gives the specified user access, the perm represents different levels of access, its value can be r (read), W (write), C (change, write), F (Full Control), etc.

/R User: Revoke access rights for the specified user, and note that this parameter is only valid when used with "/e".

/P User:perm: Replaces the access rights of the specified user, perm with the same meaning, but increases the "N (none)" option.

/d User: Deny access to the specified user.

Instance one: Viewing access control permissions for a folder

For example, here we want to view access control permissions for the H:emp folder, so just type the following command in the start → Run dialog box or switch to command prompt mode: Cacls h:emp

At this point, we see all user groups and user access control rights for the H:emp folder, the CI indicates that the ACE is inherited by the directory, and the OI indicates that the ace is inherited by the file, and IO indicates that ACI does not apply to the current file or directory, and that the letters at the end of each line represent control rights, such as F for Full Control, c indicates a change, and W represents a write.

If you want to view access control permissions for all files in this folder, including files in subfolders, type Cacls h:emp. Command.

Example two: Modifying access control permissions for a folder

If you want to give local users wzj9999 Full control over the access to all files in the H:emp folder and subfolders, simply type the following command:

Cacls h:emp/t/e/c/g wzj9999:f

"/T" here means modifying ACLs for all files in the folder and subfolders./e "indicates that editing is done without replacing, and"/C "means continuing when an Access Denied error occurs, and"/g wzj9999:f "means giving the local user wzj9999 Full control, where" F " On behalf of full control, if just want to give Read permission, then should be "R".

Example THREE: Revoke access control rights for a user

If you want to revoke the wzj9999 user's access control rights to the H:emp folder and its subfolders, you can type the following command:

cacls h:emp/t/e/c/R wzj9999

If you are simply denying access to a user, you can type the following command:

cacls h:emp/t/e/c/d wzj9999