Windows DOS Rights Management

Source: Internet
Author: User

Display or modify access control lists (ACLs) for a file

CACLS filename [/T] [/M] [l] [/S[:SDDL]] [/E] [/C] [/g user:perm]
[/R user [...]] [/P User:perm [...]] [/d User [...]]


FileName Displays the ACL.
/T Changes the ACL of the specified file in the current directory and all its subdirectories.
/L handle symbolic link itself against target
/M Changes the ACL of the volume mounted to the directory
/S The SDDL string that displays the DACL.
/S:SDDL replaces the ACL with the ACL specified in the SDDL string.
(/E,/g,/r,/p or/d are not valid).
/e Edit the ACL without replacing it.
/C Continue when an Access denied error occurs.
/g User:perm gives the specified user access rights.
Perm can be: R read
W Write
C Change (write)
F Full Control
/r user revokes the access rights of the specified user (only valid when used with/E).
/P User:perm replaces the access rights for the specified user.
Perm can be: N None
R Read
W Write
C Change (write)
F Full Control
/d user denies access to the specified user.
You can use wildcard characters to specify multiple files in a command.
You can also specify multiple users in the command.

Abbreviation:
CI-Container inheritance.
The ACE is inherited by the directory.
OI-Object inheritance.
Aces are inherited by files.
IO-Inherit only.
The ACE does not apply to the current file/directory.
ID-Inherited.
Aces inherit from the ACL of the parent directory.

ICACLS name/save AclFile [/T] [/C] [l] [/q]
The ACLs for all matching names are stored in AclFile for future use in/restore.

ICACLS directory [/substitute sidold sidnew [...]]/restore aclfile
[/C] [/L] [/Q]
Applies the stored ACL to a file in the directory.

ICACLS Name/setowner User [/T] [/C] [/l] [/q]
Change the owner of all matching names.

ICACLS name/findsid Sid [/T] [/C] [/l] [/q]
Finds all matching names for ACLs that contain explicit mentions of SIDS.

ICACLS name/verify [/T] [/C] [/l] [/q]
Finds all files whose ACL is not canonical or has a length that is inconsistent with the ACE count.

ICACLS Name/reset [/T] [/C] [/l] [/q]
Replace ACLs with default inherited ACLs for all matching files

ICACLS name [/grant[:r] sid:perm[...]
[/deny sid:perm [...]]
[/remove[:g|:d]] sid[...] [/T] [/C] [/L]
[/setintegritylevel level:policy[...]

/GRANT[:R] Sid:perm grant the specified user access rights. If you use: R,
These permissions replace any previously granted explicit permissions.
If you do not use: R, these permissions are added to all previously granted explicit permissions.

/deny Sid:perm explicitly denies the specified user access rights.
An explicit deny ACE is added to the listed permissions.
and remove all permissions that are explicitly granted in the same permissions.

/REMOVE[:[G|D]] SID deletes all occurrences of the SID in the ACL. Use
: g, all permissions granted to the SID are removed. Use
:d, all permissions that deny the SID are removed.

The/setintegritylevel [(CI) (OI)] level explicitly adds the integrity ACE to all
Match the file. The level you want to specify is one of the following levels:
L[ow]
M[edium]
H[igh]
Inheritance options for integrity Aces can take precedence over levels, but apply only to
Directory.

/inheritance:e|d|r
E-Enable inheritance
D-Disable inheritance and copy Aces
R-Remove all inherited Aces

Attention:
SIDs can be in either a numeric format or a friendly name format. If given a number format,
Then, add a * to the beginning of the SID.

/T indicates all matching files/directories in the directory specified by that name
Perform this operation.

/C indicates that this operation will continue on all file errors. The error message will still be displayed.

/L indicates that this operation is performed on the symbolic link itself, not on its target.

/q indicates that ICACLS should suppress the display of success messages.

ICACLS preserves the canonical order of ACE entries:
Explicit Deny
Explicitly grant
Inherited deny
Inherited grants

Perm is a permission mask that can be specified in one of two formats:
Simple permission sequence:
F-Full Access permissions
M-Modify Permissions
RX-Read and Execute permissions
R-read-only permission
W-write-only permission
A comma-delimited list of specific permissions in parentheses:
D-Delete
RC-Read Control
WDAC-Write DAC
WO-Write Owner
S-Sync
As-access system security
MA-Maximum allowable value
GR-General Read
GW-General Write
GE-General execution
GA-All for general
RD-read Data/list directory
WD-Write Data/Add File
AD-Append Data/Add subdirectories
REA-Read Extended Properties
WEA-Write Extended properties
X-Execute/Traverse
DC-Delete Subkey
RA-Read Properties
WA-Write Property
Inherited permissions can take precedence over each format, but apply only to
Directory:
(OI)-Object inheritance
(CI)-Container inheritance
(IO)-Inherit only
(NP)-Do not propagate inheritance

Example:

icacls c:\windows\*/save aclfile/t
-C:\Windows All files in the directory and its subdirectories
The ACL is saved to AclFile.

icacls c:\windows\/restore AclFile
-AclFile within the C:\Windows and its subdirectories will be restored
ACL for all Files

Icacls file/grant Administrator: (D,WDAC)
-the pipe that will be granted to the user to delete and write to the DAC
Manager privileges

Icacls file/grant *s-1-1-0: (D,WDAC)
-the user defined by Sid s-1-1-0 will be granted a file deletion
Permissions in addition to and writing to the DAC

Windows DOS Rights Management

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.