Summary
Microsoft provides an updated version of the Extended Change Access Control List tool (Xcacls.exe) in the form of Microsoft Visual Basic script (Xcacls. vbs. This section describes how to use the Xcacls. vbs script to modify and view the NTFS file system permissions of a file or folder. You can use Xcacls. vbs from the command line to set all file system security options that can be accessed in Microsoft Windows Resource Manager. Xcacls. vbs displays and modifies the access control list (ACL) of a file ).
Note: Xcacls. vbs is only compatible with Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003. Microsoft does not support Xcacls. vbs.
Set and use Xcacls. vbs
To set and use Xcacls. vbs, follow these steps:
1. obtain the latest version of Xcacls. vbs from the following Microsoft Website:
Http://download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/XCacls_Installer.exe (http://download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/xcacls_installer.exe)
XCACLS. vbs download http://xiazai.jb51.net/201008/tools/XCACLS.rar directly
2. Double-click "xcacls_installer.exe ". When you are prompted to place the extracted files, specify a folder (such as C: \ Windows) in the search path settings on your computer ).
3. Change the default script engine from Wscript to Cscript. (Xcacls. vbs scripts are most suitable for running in Cscript .) To do this, type the following at the command prompt and press Enter:
Cscript.exe/h: cscript
Note: Changing the default script engine to Cscript only affects how the script writes to the screen. Wscript writes each row according to the "OK" dialog box. Cscript writes each line to the Command window. If you do not want to change the default script engine, you must run the script using the following command:
Cscript.exe xcacls. vbs
However, if you change the default script to Cscript, you can run the script using the following command:
Xcacls. vbs
.
4. To view the Xcacls. vbs command syntax, enter the following command at the command prompt:
Xcacls. vbs /?
Xcacls. vbs command syntax
The following xcacls. vbs /? The command output describes the syntax of the Xcacls. vbs command:
Usage:
XCACLS filename [/E] [/G user: perm; spec] [...] [/R user [...]
[/F] [/S] [/T]
[/P user: perm; spec [...] [/D user: perm; spec] [...]
[/O user] [/I ENABLE/COPY/REMOVE] [/N
[/L filename] [/Q] [/DEBUG]
Filename [Required] If used alone, it displays ACLs.
(Filename can be a filename, directory name or
Wildcard characters and can include the whole
Path. If path is missing, it is assumed to be
Under the current directory .)
Notes:
-Put filename in quotes if it has spaces or
Special characters such as &, $, #, etc.
-If filename is a directory, all files and
Subdirectories under it will NOT be changed
Unless the/F or S is present.
/F [Used with Directory or Wildcard] This will change all
Files under the inputted directory but will NOT
Traverse subdirectories unless/T is also present.
If filename is a directory, and/F is not used, no
Files will be touched.
/S [Used with Directory or Wildcard] This will change all
Subfolders under the inputted directory but will NOT
Traverse subdirectories unless/T is also present.
If filename is a directory, and/S is not used, no
Subdirectories will be touched.
/T [Used only with a Directory] Traverses each
Subdirectory and makes the same changes.
This switch will traverse directories only if
Filename is a directory or is using wildcard characters.
/E Edit ACL instead of replacing it.
/G user: GUI Grant security permissions similar to Windows GUI
Standard (non-advanced) choices.
/G user: Perm; Spec Grant specified user access rights.
(/G adds to existing rights for user)
User: If User has spaces in it, enclose it in quotes.
If User contains # machine #, it will replace
# Machine # with the actual machine name if it is
Non-domain controller, and replace it with
Actual domain name if it is a domain controller.
New to 3.0: User can be a string representing
The actual SID, but MUST be lead by SID #
Example: SID # S-1-5-21-2127521184-160...
(SID string shown has been shortened)
(If any user has SID # then globally all
Matches must match the SID (not name)
So if your intention is to apply changes
To all accounts that match Domain \ User
Then do not specify SID # as one of
Users .)
GUI: Is for standard rights and can be:
Permissions...
F Full control
M Modify
X read and eXecute
L List folder contents
R Read
W Write
Note: If a; is present, this will be considered
A Perm; Spec parameter pair.
Perm: Is for "Files Only" and can be:
Permissions...
F Full control
M Modify
X read and eXecute
R Read
W Write
Advanced...
D Take Ownership
C Change Permissions
B Read Permissions
A Delete
9 Write Attributes
8 Read Attributes
7 Delete Subfolders and Files
6 Traverse Folder/Execute File
5 Write Extended Attributes
4 Read Extended Attributes
3 Create Folders/Append Data
2 Create Files/Write Data
1 List Folder/Read Data
Spec is for "Folder and Subfolders only" and has
Same choices as Perm.
/R user Revoke specified user's access rights.
(Will remove any Allowed or Denied ACL's for user .)
/P user: GUI Replace security permissions similar to standard choices.
/P user: perm; spec Replace specified user's access rights.
For access right specification see/G option.
(/P behaves like/G if there are no rights set for user .)
/D user: GUI Deny security permissions similar to standard choices.
/D user: perm; spec Deny specified user access rights.
For access right specification see/G option.
(/D adds to existing rights for user .)
/O user Change the Ownership to this user or group.
/I switch Inheritance flag. If omitted, the default is to not touch
Inherited ACL's. Switch can be:
ENABLE-This will turn on the Inheritance flag if
It is not on already.
COPY-This will turn off the Inheritance flag and
Copy the Inherited ACL's
Into valid tive ACL's.
REMOVE-This will turn off the Inheritance flag and
Will not copy the Inherited
ACL's. This is the opposite of ENABLE.
If switch is not present,/I will be ignored and
Inherited ACL's will remain untouched.
/L filename Filename for Logging. This can include a path name
If the file is not under the current directory.
File will be appended to, or created if it does not
Exit. Must be Text file if it exists or error will occur.
If filename is omitted, the default name of XCACLS will
Be used.
/Q Turn on Quiet mode. By default, it is off.
If it is turned on, there will be no display to the screen.
/DEBUG Turn on Debug mode. By default, it is off.
If it is turned on, there will be more information
Displayed and/or logged. Information will show
Sub/Function Enter and Exit as well as other important
Information.
/SERVER servername Enter a remote server to run script against.
/USER username Enter Username to impersonate for Remote Connections
(Requires PASS switch). Will be ignored if it is for a Local Connection.
/PASS password Enter Password to go with USER switch
(Requires USER switch ).
Wildcard characters can be used to specify more than one file in a command, such:
* Any string of zero or more characters
? Any single character
You can specify more than one user in a command.
You can combine access rights. ========================================================== ============================
Qingcloud Translation:
Xcacls. vbs command syntax
The following xcacls. vbs /? The command output describes the syntax of the Xcacls. vbs command:
Usage:
XCACLS filename [/E] [/G user: perm; spec] [...] [/R user [...]
[/F] [/S] [/T]
[/P user: perm; spec [...] [/D user: perm; spec] [...]
[/O user] [/I ENABLE/COPY/REMOVE] [/N
[/L filename] [/Q] [/DEBUG]
Filename [required] If used separately, it displays the ACL.
(A file name can be a file name and can include all roads. The directory name is orwildcard.
If the path is lost, beunder's current directory is assumed .)
Note:
-If it has space or special character, put the file name in the quotation &, $, #, and so on.
-If the file name is a directory, all files and subdirectories under it will not be changed unless they are present with F or S.
/F [used with a directory or wildcard] This will change all files under the input directory but will not cross the subdirectory unless it is also present with T.
If the file name is a directory, and is not used with F, no file will be touched.
/S [used with directory or wildcard] This will change all subfolders under the input directory but will not cross the subdirectory unless it is also present with T.
If the file name is a directory, and is not used with S, no subdirectories will be touched.
/T [used only with a directory] crosses each sub-directory and makes the same change.
This switch will only cross the directory when the file name is a directory or use wildcards.
/E edit the ACL instead of replacing it.
/G user: the GUI allows a standard (not advanced) Option similar to Windows GUI security.
/G user: Perm; Spec gives the specified user access right.
(/G add existing rights for the user)
User: if the user has space, seal it in the market.
If the user contains # machine #, it will replace # machine with the actual machine name # if it is a non-Domain Controller,
And replace it with the actual domain name if it is a domain controller.
Unfamiliar with 3.0: the user can be a string representing the actual SID, but be sure to guide the SID #
Example: SID # S-1-5-21-2127521184-160...
(SID string display has been shortened)
(If any user has a SID # Then all competitions around the world must match the SID (not named), if your intention
It is to change all the reasons for matching the domain \ user, and then do not set SID # as a user that is not specified .)
Graphics: For standard rights and:
Permission...
F full control
M Modification
X read and execute
L list folder content
R read
W write
Note: If a; is current, this will be considered
One Perm; two Spec parameters.
Perm: To "only file" and:
Permission...
F full control
M Modification
X read and execute
R read
W write
Advanced...
D. obtain ownership.
C change allowed
B. Read permitted
A Delete
9 Write attributes
8. Read attributes
7. Delete subfolders and files
6. pass through folders/execution files
5. Write extended attributes
4. Read extended attributes
3. Create a folder or append data
2. Create a file/Write Data
1. List folders/read data
Spec is "Only folders and subfolders" and has the same choice as Perm.
/R user: revokes the access right of the specified user.
(The ACL will be removed for any information that the user permits or denies .)
/P user: the GUI replaces security permits similar to standard options.
/P user: perm; spec replaces the access right of the specified user.
For access permission descriptions, see/G options.
(/P representations/G if there is no right to be set as a user .)
/D user: the GUI rejects security permits similar to standard options.
/D user: perm; spec denies access to the specified user.
For access permission descriptions, see/G options.
(/D Add the user to the right of the existing one .)
/O user changes ownership to this user or group.
/I switch inheritance flag. If this parameter is left blank, the default value is left blank.
The inherited ACL's. Switchover may be:
ENABLE-if it is not enabled, the inheritance flag is opened.
COPY-this will disable the inheritance flag and COPY the inherited ACL's
To the valid ACL.
REMOVE-this will disable the inheritance flag and will not copy the inherited ACL's.
This is the opposite of implementation.
If the switch does not exist,/I will be ignored and the inherited ACL's will be retained.
The file name of the/L filename record. If the file is not in the current directory, this may include the path name.
Whether it does not exit, the file will be appended to or created. If it exists, it is certain that the text file or error will occur.
If the file name is omitted, the default name of XCACLS will be used.
/Q. By default, it leaves.
If it is opened, it is not displayed on the screen.
/DEBUG open debugging mode. By default, it leaves.
If it is enabled, more information will be displayed and/or recorded.
Information Displays Sub/Function entry and exit and other important information.
/SERVER servername: enter a remote SERVER running script.
/USER username indicates the number of remote connections assumed by the USER name (switch required ). Will be ignored if it is a local number of connections.
/PASS password: enter the password and switch with the user
(User Switching is required ).
Wildcard characters may be used to specify more than one file in one command. For example:
* Any string with zero or more characters
? Any single character
You can specify more than one user in a command.
You can combine close to right.
========================================================== ============================
Use Xcacls. vbs to view Permissions
Xcacls. vbs can also be used to view file or folder permissions. For example, if you have a folder named C: \ Test, type the following command at the command prompt to view the folder permissions, and then press Enter:
Xcacls. vbs c: \ test
The following example shows a typical result:
C: \> XCACLS. VBS c: \ test
Microsoft (R) Windows Script Host 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Starting XCACLS. VBS (Version: 3.4) Script at 6/11/2003 10:55:21 AM
Startup directory:
"C: \ test"
Arguments Used:
Filename = "c: \ test"
**************************************** **********************************
Directory: C: \ test
Permissions:
Type Username Permissions Inheritance
Allowed BUILTIN \ Administrators Full Control This Folder, Subfolde
Allowed nt authority \ SYSTEM Full Control This Folder, Subfolde
Allowed Domain1 \ User1 Full Control This Folder Only
Allowed \ creator owner Special (Unknown) Subfolders and Files
Allowed BUILTIN \ Users Read and Execute This Folder, Subfolde
Allowed BUILTIN \ Users Create Folders/Appe This Folder and Subfo
Allowed BUILTIN \ Users Create Files/Write This Folder and Subfo
No Auditing set
Owner: Domain1 \ User1
Note: In this example, the xcacls. vbs c: \ test command output is consistent with the text displayed on the GUI. Some text in the Command window is incomplete.
The output also provides the script version, startup directory, and parameters used.
You can also use wildcards to display matching files in a directory. For example, if you type the following command, all files with the ". log" extension in the C: \ Test folder are displayed:
Xcacls. vbs c: \ test \ *. log
Example
The following Xcacls. vbs command provides some examples of Xcacls. vbs usage:
Xcacls. vbs c: \ test \/g domain \ testuser1: f/t/e
This command can edit existing permissions. It grants Domain \ TestUser1 full control over all files under C: \ Test, traverses subfolders under C: \ Test, and then changes all files found. This command does not touch the directory.
Xcacls. vbs c: \ test \/g domain \ testuser1: f/s/l "c: \ xcacls. log"
This command can replace existing permissions. It grants Domain \ TestUser1 full control over all subfolders under C: \ Test and records them to C: \ Xcacls. log. This command does not touch files and does not traverse directories.
Xcacls. vbs c: \ test \ readme.txt/o "machinea \ group1"
This command changes the owner of the README file to group MachineA \ group1.
Xcacls. vbs c: \ test \ badcode.exe/r "machinea \ group1"/r "domain \ testuser1"
This command revokes the C: \ Test \ Badcode.exe permissions of MachineA \ Group1 and Domain \ TestUser1.
Xcacls. vbs c: \ test \ subdir1/I enable/q
This command will open the inheritance on the C: \ Test \ Subdir1 folder. This command will cancel any screen output.
Xcacls. vbs \ servera \ sharez \ testpage.htm/p "domain \ group2": 14
This command remotely connects to \ ServerA \ ShareZ by using Windows Management Instrumentation (WMI. Then obtain the local path used for the sharing. Under this path, it changes the permission on Testpage.htm. It retains the existing permissions of Domain \ Group2, but adds permissions 1 (read data) and 4 (read extended attributes ). This command waives other permissions on this file because the/e switch is not used.
Xcacls. vbs d: \ default.htm/g "domain \ group2": f/server servera/user servera \ admin/pass password/e
This command remotely connects to ServerA Using WMI as ServerA \ Admin, and then grants full permissions on Default.htm to Domain \ Group2. The existing permissions of Domain \ Group2 are lost, but other permissions on the file are retained.
Reference
For more information about how to use Xcacls.exe, click the following article number to view the article in the Microsoft Knowledge Base:
318754 (http://support.microsoft.com/kb/318754/) How to Use Xcacls.exe to modify NTFS permissions