http://support.microsoft.com/kb/825751
Microsoft has provided the Extended Changes access control list (extended Change access controls lists) tool (Xcacls.exe) in the form of Microsoft Visual Basic script (xcacls.vbs). Updated version. This step-by-step article describes how to use the Xcacls.vbs script to modify and view NTFS file system permissions for a file or folder. You can use xcacls.vbs from the command line to set all file system security options that you can access in Microsoft Windows Explorer. Xcacls.vbs can display and modify access control lists (ACLs) for files.
Note: Xcacls.vbs is only compatible with Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003. Microsoft does not support xcacls.vbs.
Back to the top
Setting up and using Xcacls.vbs
To set up and use Xcacls.vbs, follow these steps:
Get the latest version of Xcacls.vbs from the following Microsoft Web site:
Http://download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/XCacls_Installer.exe (http:// Download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/xcacls_installer.exe)
Double-click "Xcacls_installer.exe". When you are prompted to provide a location to place the extracted files, specify a folder (such as C:\Windows) that is located in the search path settings for your computer.
Change the default script engine from Wscript to Cscript. (xcacls.vbs scripts are best suited to run under Cscript.) To do this, type the following at a command prompt, and then press Enter:
Cscript.exe/h:cscript
Note: Changing the default script engine to Cscript only affects how the script writes to the screen. Wscript writes each row according to the OK dialog box. Cscript writes each row to the command window. If you do not want to change the default scripting engine, you must run the script using the following command
cscript.exe Xcacls.vbs
However, if you change the default script to Cscript, you can run the script by using the following command:
Xcacls.vbs
.
To view the command syntax for xcacls.vbs, type the following command at a command prompt:
Xcacls.vbs/?
Syntax of the xcacls.vbs command
Below Xcacls.vbs/? The output of the command describes the syntax of the xcacls.vbs command:
Copy Code code as follows:
Usage:
xcacls filename [/e] [/g user:perm;spec] [...] [/R user [...]]
[/F] [/S] [/T]
[/P User:perm;spec [...]] [/D User:perm;spec] [...]
[/o user] [/I enable/copy/remove] [/N
[/L filename] [/Q] [/debug]
filename [Required] If used alone, it displays ACLs.
(filename can be a filename, directory name or
Wildcard characters and can include the whole
Path. If path is missing, it's assumed to be
Under the current directory.)
Notes:
-Put filename in quotes if it has spaces or
special characters such as;, $, #, etc.
-If filename is a directory, all files and
Subdirectories under it won't be changed
Unless the/f or S is present.
/F [Used with Directory or wildcard] This'll change all
Files under the inputted directory but won't
Traverse subdirectories unless/t is also present.
If filename is a directory, and/f isn't used, no
The files would be touched.
/S [Used with Directory or wildcard] This'll change all
Subfolders under the inputted directory but won't
Traverse subdirectories unless/t is also present.
If filename is a directory, and/s isn't used, no
Subdirectories would be touched.
/T [Used only with a Directory] traverses each
subdirectory and makes the same changes.
This switch would traverse directories only if the
FileName is a directory or is using wildcard characters.
/e Edit ACL instead of replacing it.
/g User:gui Grant security permissions similar to Windows GUI
Standard (non-advanced) choices.
/g user:perm; SPEC Grant specified user access rights.
(/g adds to existing rights for user)
User:if User has spaces in it, enclose it in quotes.
If User contains #machine #, it'll replace
#machine # with the actual machine name if it's a
Non-domain controller, and replace it with the
Actual domain name if it is a domain controller.
New to 3.0:user can be a string representing
The actual SID, but must is lead by sid#
example:sid#s-1-5-21-2127521184-160 ...
(SID string shown has been shortened)
(If any user has sid# then globally all
Matches must match the SID (not name)
So if your intention are to apply changes
To all accounts that match domain\user
Then do not specify sid# as one of the
Users.)
Gui:is for standard rights and can:
Permissions ...
F Full Control
M Modify
X Read and EXecute
L List Folder Contents
R Read
W Write
Note:if A; Are present, this'll be considered
a Perm; Spec parameter pair.
Perm:is for ' Files only ' and can be:
Permissions ...
F Full Control
M Modify
X Read and EXecute
R Read
W Write
Advanced ...
D Take Ownership
C Change Permissions
B Read Permissions
A Delete
9 Write Attributes
8 Read Attributes
7 Delete Subfolders and Files
6 Traverse Folder/execute File
5 Write Extended Attributes
4 Read Extended Attributes
3 Create folders/append Data
2 Create files/write Data
1 List folder/read Data
The Spec is for ' folder and subfolders only ' and has the
Same choices as Perm.
/r user Revoke specified user ' s access rights.
(would remove any allowed or Denied ACL "s for user.)
/p User:gui Replace security permissions similar to standard choices.
/p user:perm;spec Replace specified user ' s access rights.
For access right specification see/g option.
(/p behaves like/g if there are no rights set for user.)
/d User:gui Deny security permissions similar to standard choices.
/d user:perm;spec Deny specified user access rights.
For access right specification see/g option.
(/d adds to existing rights for user.)
/o User change the ownership to this user or group.
/I switch inheritance flag. If omitted, the default is to Don't touch
Inherited ACL ' s. Switch can be:
Enable-this would turn on the inheritance flag if
It is isn't on already.
Copy-this'll turn off the inheritance flag and
Copy the inherited ACL ' s
into effective ACL ' s.
Remove-this'll turn off the inheritance flag and
Would not copy the inherited
ACL ' s. This is the opposite of ENABLE.
If switch is not present,/I would be ignored and
Inherited ACL ' s'll remain untouched.
/l filename filename for Logging. This can include a path name
If the file is not under the current directory.
File would be appended to, or created if it does not
Exit. Must be Text file if it exists or error would occur.
If filename is omitted, the default name of XCACLS would
be used.
/q Turn on Quiet mode. By default, it is off.
If It is turned on, there'll be no display to the screen.
/debug Turn on DEBUG mode. By default, it is off.
If It is turned on, there'll be more information
displayed and/or logged. Information would show
Sub/function Enter and Exit as as the other important
Information.
/server servername Enter a remote SERVER to run script against.
/USER Username Enter username to impersonate for Remote connections
(requires pass switch). 'll be ignored if it's for a local Connection.
/pass password Enter password to go with USER switch
(requires USER switch).
Wildcard characters can be used to specify more than one file in a command, such as:
* Any string of zero or more characters
? Any single character
Can specify more than one user in a command.
You can combine access rights.
Use Xcacls.vbs to view permissions
Xcacls.vbs can also be used to view permissions for a file or folder. For example, if you have a folder named C:\Test, type the following command at a command prompt to view folder permissions, and then press Enter:
Xcacls.vbs C:\Test
The following example is a typical result:
Copy Code code as follows:
C:\>xcacls. VBS C:\Test
Microsoft (R) Windows Script Host 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Starting xcacls. VBS (version:3.4) Script at 6/11/2003 10:55:21 AM
Startup directory:
"C:\test"
Arguments Used:
Filename = "C:\Test"
**************************************************************************
Directory:c:\test
Permissions:
Type Username Permissions Inheritance
Allowed BUILTIN\Administrators Full Control this Folder, Subfolde
Allowed NT Authority\System Full Control this Folder, Subfolde
Allowed Domain1\user1 Full Control this Folder only
Allowed \creator OWNER Special (Unknown) Subfolders and Files
Allowed BUILTIN\Users Read and Execute this Folder, Subfolde
Allowed BUILTIN\Users Create Folders/appe this Folder and SUBFO
Allowed BUILTIN\Users Create files/write this Folder and SUBFO
No Auditing Set
Owner:domain1\user1
Note: In this example, the output of the xcacls.vbs c:\test command is consistent with the text displayed in the graphical user interface (GUI). Some of the text in the command window is incomplete.
The output also gives the version of the script, the startup directory, and the parameters used.
You can also use wildcard characters to display matching files in the directory. For example, if you type the following command, all files with the ". Log" extension in the C:\Test folder will be displayed:
Xcacls.vbs C:\test\*.log
Example
The following xcacls.vbs commands provide some examples of xcacls.vbs usage:
xcacls.vbs c:\test\/g domain\testuser1:f/f/t/e
This command can edit existing permissions. It grants domain\testuser1 Full control over all files under C:\Test, traverses subfolders under C:\Test, and then changes all files found. The command does not touch the directory.
xcacls.vbs c:\test\/g domain\testuser1:f/s/l "C:\xcacls.log"
This command replaces existing permissions. It grants domain\testuser1 Full control over the permissions of all subfolders under C:\Test and records to C:\Xcacls.log. This command does not touch the file and does not traverse the directory.
Xcacls.vbs c:\test\readme.txt/o "Machinea\group1"
This command changes the owner of the Readme file to group Machinea\group1.
Xcacls.vbs c:\test\badcode.exe/r "Machinea\group1"/R "Domain\testuser1"
This command undoes the C:\Test\Badcode.exe permissions of Machinea\group1 and Domain\testuser1.
Xcacls.vbs c:\test\subdir1/i enable/q
This command will open the inheritance on the folder C:\Test\Subdir1. This command will cancel any screen output.
Xcacls.vbs \\servera\sharez\testpage.htm/p "domain\group2": 14
This command connects to \\ServerA\ShareZ remotely by using Windows Management Instrumentation (WMI). It then gets the local path for the share, under which it changes the permissions on the testpage.htm. It retains the existing permissions of the domain\group2 intact, but adds permission 1 (read data) and permission 4 (read Extended properties). This command discards other permissions on this file because the/e switch is not used.
Xcacls.vbs d:\default.htm/g "domain\group2": F/server servera/user Servera\admin/pass
This command uses WMI as a servera\admin to connect to ServerA remotely, and then grants full permissions on Default.htm to Domain\group2. Domain\group2 existing permissions are lost, but other permissions on the file are preserved.
