Use Xcacls.vbs (cacls.exe) to modify NTFS permission descriptions (Chinese) 1th/2 page _vbs

Profile
Microsoft has provided the Extended Changes access control list (extended Change access controls lists) tool (Xcacls.exe) in the form of Microsoft Visual Basic script (xcacls.vbs). Updated version. This step-by-step article describes how to use the Xcacls.vbs script to modify and view NTFS file system permissions for a file or folder. You can use xcacls.vbs from the command line to set all file system security options that you can access in Microsoft Windows Explorer. Xcacls.vbs can display and modify access control lists (ACLs) for files.

Note: Xcacls.vbs is only compatible with Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003. Microsoft does not support xcacls.vbs.


Setting up and using Xcacls.vbs
To set up and use Xcacls.vbs, follow these steps:
1. Get the latest version of Xcacls.vbs from the following Microsoft Web site:
Http://download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/XCacls_Installer.exe (http:// Download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/xcacls_installer.exe)

Xcacls.vbs Direct Download Http://xiazai.jb51.net/201008/tools/XCACLS.rar
2. Double-click "Xcacls_installer.exe". When you are prompted to provide a location to place the extracted files, specify a folder (such as C:\Windows) that is located in the search path settings for your computer.
3. Change the default script engine from Wscript to Cscript. (xcacls.vbs scripts are best suited to run under Cscript.) To do this, type the following at a command prompt, and then press Enter:
Cscript.exe/h:cscript
Note: Changing the default script engine to Cscript only affects how the script writes to the screen. Wscript writes each row according to the OK dialog box. Cscript writes each row to the command window. If you do not want to change the default scripting engine, you must run the script using the following command
cscript.exe Xcacls.vbs
However, if you change the default script to Cscript, you can run the script by using the following command:
Xcacls.vbs
.
4. To view the command syntax for xcacls.vbs, type the following command at a command prompt:
Xcacls.vbs/?

Syntax of the xcacls.vbs command
Below Xcacls.vbs/? The output of the command describes the syntax of the xcacls.vbs command:

Usage:
xcacls filename [/e] [/g user:perm;spec] [...] [/R user [...]]
[/F] [/S] [/T]
[/P User:perm;spec [...]] [/D User:perm;spec] [...]
[/o user] [/I enable/copy/remove] [/N
[/L filename] [/Q] [/debug]

filename [Required] If used alone, it displays ACLs.
(filename can be a filename, directory name or
Wildcard characters and can include the whole
Path. If path is missing, it's assumed to be
Under the current directory.)
Notes:
-Put filename in quotes if it has spaces or
special characters such as;, $, #, etc.
-If filename is a directory, all files and
Subdirectories under it won't be changed
Unless the/f or S is present.

/F [Used with Directory or wildcard] This'll change all
Files under the inputted directory but won't
Traverse subdirectories unless/t is also present.
If filename is a directory, and/f isn't used, no
The files would be touched.

/S [Used with Directory or wildcard] This'll change all
Subfolders under the inputted directory but won't
Traverse subdirectories unless/t is also present.
If filename is a directory, and/s isn't used, no
Subdirectories would be touched.

/T [Used only with a Directory] traverses each
subdirectory and makes the same changes.
This switch would traverse directories only if the
FileName is a directory or is using wildcard characters.
/e Edit ACL instead of replacing it.

/g User:gui Grant security permissions similar to Windows GUI
Standard (non-advanced) choices.
/g user:perm; SPEC Grant specified user access rights.
(/g adds to existing rights for user)

User:if User has spaces in it, enclose it in quotes.
If User contains #machine #, it'll replace
#machine # with the actual machine name if it's a
Non-domain controller, and replace it with the
Actual domain name if it is a domain controller.

New to 3.0:user can be a string representing
The actual SID, but must is lead by sid#
example:sid#s-1-5-21-2127521184-160 ...
(SID string shown has been shortened)
(If any user has sid# then globally all
Matches must match the SID (not name)
So if your intention are to apply changes
To all accounts that match domain\user
Then do not specify sid# as one of the
Users.)

Gui:is for standard rights and can:
Permissions ...
F Full Control
M Modify
X Read and EXecute
L List Folder Contents
R Read
W Write
Note:if A; Are present, this'll be considered
a Perm; Spec parameter pair.

Perm:is for ' Files only ' and can be:
Permissions ...
F Full Control
M Modify
X Read and EXecute
R Read
W Write
Advanced ...
D Take Ownership
C Change Permissions
B Read Permissions
A Delete
9 Write Attributes
8 Read Attributes
7 Delete Subfolders and Files
6 Traverse Folder/execute File
5 Write Extended Attributes
4 Read Extended Attributes
3 Create folders/append Data
2 Create files/write Data
1 List folder/read Data
The Spec is for ' folder and subfolders only ' and has the
Same choices as Perm.

/r user Revoke specified user ' s access rights.
(would remove any allowed or Denied ACL "s for user.)

/p User:gui Replace security permissions similar to standard choices.

/p user:perm;spec Replace specified user ' s access rights.
For access right specification see/g option.
(/p behaves like/g if there are no rights set for user.)

/d User:gui Deny security permissions similar to standard choices.
/d user:perm;spec Deny specified user access rights.
For access right specification see/g option.
(/d adds to existing rights for user.)

/o User change the ownership to this user or group.

/I switch inheritance flag. If omitted, the default is to Don't touch
Inherited ACL ' s. Switch can be:
Enable-this would turn on the inheritance flag if
It is isn't on already.
Copy-this'll turn off the inheritance flag and
Copy the inherited ACL ' s
into effective ACL ' s.
Remove-this'll turn off the inheritance flag and
Would not copy the inherited
ACL ' s. This is the opposite of ENABLE.
If switch is not present,/I would be ignored and
Inherited ACL ' s'll remain untouched.

/l filename filename for Logging. This can include a path name
If the file is not under the current directory.
File would be appended to, or created if it does not
Exit. Must be Text file if it exists or error would occur.

If filename is omitted, the default name of XCACLS would
be used.

/q Turn on Quiet mode. By default, it is off.
If It is turned on, there'll be no display to the screen.


/debug Turn on DEBUG mode. By default, it is off.
If It is turned on, there'll be more information
displayed and/or logged. Information would show
Sub/function Enter and Exit as as the other important
Information.

/server servername Enter a remote SERVER to run script against.

/USER Username Enter username to impersonate for Remote connections
(requires pass switch). 'll be ignored if it's for a local Connection.

/pass password Enter password to go with USER switch
(requires USER switch).


Wildcard characters can be used to specify more than one file in a command, such as:
* Any string of zero or more characters
? Any single character

Can specify more than one user in a command.
You can combine Access rights.==========================================================
The translation of Qingyun is as follows:

syntax of the xcacls.vbs command
Below Xcacls.vbs/? The output of the command describes the syntax of the xcacls.vbs command:

Usage:
xcacls filename [/e] [/g user:perm;spec] [...] [/R user [...]]
[/F] [/S] [/T]
[/P User:perm;spec [...]] [/D User:perm;spec] [...]
[/o user] [/I enable/copy/remove] [/N
[/L filename] [/Q] [/debug]

filename [Required] If used separately, it displays ACLs.
(filename can be a filename and can include all roads, directory name Orwildcard character.)
If the road is missing, beunder the current directory is assumed. )
Noted that:
-If it has space or a special character, put the filename in the quotes, $, #, and so on.
-If the filename is a directory, all files and subdirectories under it will not be changed unless with F or S are present.

/f [Use with directory or wildcard characters] This will change all files under the input directory but will not cross subdirectories unless with T is also present.
If the filename is a directory, and with F will not be used, no files will be touched.

/S [with directory or wildcard characters] This will change all subfolders under the input directory but will not cross subdirectories unless with T is also present.
If the filename is a directory, and with S will not be used, no subdirectories will be touched.

/T [only with a directory use] cross each subdirectory and make the same change.
This switch will traverse the directory only if the filename is a directory or use wildcard characters.
/e Edit the ACL instead of replacing it.

/g User:gui offers the option of a security-permitting standard (not advanced) similar to the Windows GUI.
/g user:perm; Spec gives the specified user access to the right.
(/g for users to add to existing rights)

User: If the user has room in it, it is sealed in the market.
If the user contains #machine#, it replaces #带有实际的机器名字的machine # if it is a non-domain controller,
And with replacing it the actual domain name if it is a domain controller.

Unfamiliar to 3.0: The user can be a string representing the actual SID, but certainly the SID's boot
Example: sid#s-1-5-21-2127521184-160 ...
(SID string Display has been shortened)
(If any user has sid# then all tournaments in the world must match SID (not named) then if your intentions
Is the use of change for all the original from the domain \ User and then, do not sid# not to be a user. )

Graphics: For standard right and can:
Permissions...
F Full Control
M modification
X Read and Execute
L List Folder Contents
R Read
W Write
Note: if A; Is current, which will be considered
A perm;spec parameter double.

Perm: For "only Documents" and can:
Permissions...
F Full Control
M modification
X Read and Execute
R Read
W Write
High-level ...
D Get Ownership
C Change permission
B Reading permission
A Delete
9 Write properties
8 Read Properties
7 Deleting subfolders and files
6 Cross Folder/execute file
5 attributes of the write extension
4 Read the Extended properties
3 Creating folders/Additional Data
2 Create File/write data
1 listing Folders/reading data
Spec for "Only folders and subfolders" and has the same choice as Perm.

/r user revokes the close rights of the specified user.
(The ACL will be removed for any of the user's permission or denial.) )

/p User:gui replaces security permission that is similar to a standard selection.

/P USER:PERM;SPEC replaces the specified user access rights.
For access instructions see the/g option.
(/P table phenomenon/g if no rights are set to the user.) )
/d User:gui rejects security permission similar to the standard choice.
/d User:perm;spec denies the specified user access rights.
For access instructions see the/g option.
(/D is added to the existing right to the user.) )
/o user changes ownership to this user or group.

/I switch inheritance flags. If omitted, the default value will not be contacted
Inherited ACL ' s. The switch may be:
ENABLE-if it is not already open, this will open the inheritance flag
Copy-This will turn off the inheritance flag and will replicate the inherited ACL ' s
To a valid ACL, ' s.
REMOVE-This will close the inheritance flag and will no longer inherit the ACL ' s.
This is the opposite of the realization.
If the switch is not present,/I will be ignored and the inherited ACL ' s will remain untouched.

File name of/L filename record. If the file is not under the current directory This may include the path name.
Whether it does not exit, the file will be appended to, or created. If it exists, certain body files or errors will occur.

If the filename is omitted, the default name of the XCACLS is used.

/Q opens a quiet way. Default, it leaves.
If it is open, it will not be displayed to the screen.


/DEBUG Open debugging mode. Default, it leaves.
If it is opened, there will be more information to be shown and/or recorded.
Information displays sub/function entry and exit and other important information.

/server ServerName Enter a remote server to run the script against.

/USER Username Enter the username to play the number of remote connections (required by switching). will be ignored if it is the number of local connections.

/pass password Enter password with user switch
(requires user to switch).


Wildcard characters may be used to specify more than one file in an instruction, such as:
* 0 or more characters of any string
? Any single character

You can specify more than one user in one command.
You can combine close right.

==========================================================



Use Xcacls.vbs to view permissions

Xcacls.vbs can also be used to view permissions for a file or folder. For example, if you have a folder named C:\Test, type the following command at a command prompt to view folder permissions, and then press Enter:
Xcacls.vbs C:\Test
The following example is a typical result:
C:\>xcacls. VBS C:\Test
Microsoft (R) Windows Script Host 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Starting xcacls. VBS (version:3.4) Script at 6/11/2003 10:55:21 AM

Startup directory:
"C:\test"

Arguments Used:
Filename = "C:\Test"



**************************************************************************
Directory:c:\test

Permissions:
Type Username Permissions Inheritance

Allowed BUILTIN\Administrators Full Control this Folder, Subfolde
Allowed NT Authority\System Full Control this Folder, Subfolde
Allowed Domain1\user1 Full Control this Folder only
Allowed \creator OWNER Special (Unknown) Subfolders and Files
Allowed BUILTIN\Users Read and Execute this Folder, Subfolde
Allowed BUILTIN\Users Create Folders/appe this Folder and SUBFO
Allowed BUILTIN\Users Create files/write this Folder and SUBFO

No Auditing Set

Owner:domain1\user1

Note: In this example, the output of the xcacls.vbs c:\test command is consistent with the text displayed in the graphical user interface (GUI). Some of the text in the command window is incomplete.

The output also gives the version of the script, the startup directory, and the parameters used.

You can also use wildcard characters to display matching files in the directory. For example, if you type the following command, all files with the ". Log" extension in the C:\Test folder will be displayed:
Xcacls.vbs C:\test\*.log
Example

The following xcacls.vbs commands provide some examples of xcacls.vbs usage:

xcacls.vbs c:\test\/g domain\testuser1:f/f/t/e
This command can edit existing permissions. It grants domain\testuser1 Full control over all files under C:\Test, traverses subfolders under C:\Test, and then changes all files found. The command does not touch the directory.
xcacls.vbs c:\test\/g domain\testuser1:f/s/l "C:\xcacls.log"
This command replaces existing permissions. It grants domain\testuser1 Full control over the permissions of all subfolders under C:\Test and records to C:\Xcacls.log. This command does not touch the file and does not traverse the directory.
Xcacls.vbs c:\test\readme.txt/o "Machinea\group1"
This command changes the owner of the Readme file to group Machinea\group1.
Xcacls.vbs c:\test\badcode.exe/r "Machinea\group1"/R "Domain\testuser1"
This command undoes the C:\Test\Badcode.exe permissions of Machinea\group1 and Domain\testuser1.
Xcacls.vbs c:\test\subdir1/i enable/q
This command will open the inheritance on the folder C:\Test\Subdir1. This command will cancel any screen output.
Xcacls.vbs \\servera\sharez\testpage.htm/p "domain\group2": 14
This command connects to \\ServerA\ShareZ remotely by using Windows Management Instrumentation (WMI). It then gets the local path for the share, under which it changes the permissions on the testpage.htm. It retains the existing permissions of the domain\group2 intact, but adds permission 1 (read data) and permission 4 (read Extended properties). This command discards other permissions on this file because the/e switch is not used.
Xcacls.vbs d:\default.htm/g "domain\group2": F/server servera/user Servera\admin/pass
This command uses WMI as a servera\admin to connect to ServerA remotely, and then grants full permissions on Default.htm to Domain\group2. Domain\group2 existing permissions are lost, but other permissions on the file are preserved.


Reference
For additional information about how to use Xcacls.exe, click the following article number to view the article in the Microsoft Knowledge Base:
318754 (http://support.microsoft.com/kb/318754/) How to use Xcacls.exe to modify NTFS permissions

Current 1/2 page 12 Next read the full text