|
|
|
|
XCACLS.exe (Server Resource Kit) and XCACLS.vbs
Display or modify Access Control Lists (ACLs) for files and folders.
Unlike cacls.exe, xcacls can apply 'Special Access' rights
Syntax
XCACLS filename [options]
XCACLS filename
Key
If no options are specified XCACLS will display the ACLs for the file(s)
options can be any combination of:
/T Traverse all subfolders and change all matching files found.
/E Edit ACL instead of replacing it.
/R user Revoke specified user's access rights.
/D user Deny specified user access, this will over-ride
all other permissions the user has.
/C Continue on access denied errors.
/Y Replace user's rights without verify
/P user:permision;FolderSpec
Replace user's rights. see /G option below
/G user:permision;FolderSpec
Grant specified user access rights, permision can be:
:r Read
:c Change (write)
:f Full control
:p Change Permissions (Special access)
:o Take Ownership (Special access)
:x EXecute (Special access)
:e REad (Special access)
:w Write (Special access)
:d Delete (Special access)
FolderSpec is a permission applied to a folder.
Folder permissions are inherited by new files added to the folder.
If FolderSpec is not specified then permission will apply to
both files and folders.
FolderSpec: T@ where @ is one of the rights above, when this is specified new
files will not inherit folder permissions. At least one folder access right
must follow the T
Any entries between the ';' and T will be ignored.
Wildcards can be used to specify more that one file in a command. You can specify
more than one user in a command. You can combine access rights.
Versions:
When running this command it is important to use the correct version (NTFS
standards have changed with different versions of Windows and XCACLS has been
updated to suit)
Early versions of xcacls.exe may give unpredictable results against an NTFS
v5 partition.
The latest version (xcacls.vbs) is described in Q825751 -
this has support for Extended NTFS Attributes and inherited/Effective ACL's.
but it does not like unc paths (requires a mapped drive)
Also xcacls.vbs requires users and groups to be specified like this...
builtin\administrators
domain.com\WGname
domain\username
Examples:
Allow guests the right to read and execute in MyFolder
XCACLS MyFolder /E /G guests:rx
Allow guests the Full Control permission in MyFolder and all subfolders
XCACLS MyFolder /T /E /G guests:f
This will grant guests only read access to all files in and below
MyFolder,
new folders created will be Read Access only, new files will not inherit
any rights.
XCACLS MyFolder /T /P guests:R;Tr
This will grant guests only execute access to all files in and below
MyFolder
XCACLS MyFolder /T /P guests:x
"I spent most of the eighties, most of my life, riding around in somebody
else's car, in possession of, or ingested of, something illegal, on my way from
something illegal to something illegal with many illegal things happening all
around me" - Iggy
Pop
Related Commands:
CACLS - Display or modify Access Control Lists
(ACLs) for files and folders
PERMS - Show permissions for a user
SHOWACL - Show file Access Control Lists (win 2000)
SHOWACCS - Show ACLs on the registry, file system, file and print shares
SUBINACL - Change an ACL's user/domain
ATTRIB - Display or change file attributes
NT Permissions explained
Q245031 - Change
Registry Permissions from the command line
Q822790 -
Xcacls /E - Objects do not inherit permissions as expected.
SetAcl - Open
Source ACL utility
Equivalent Linux BASH commands:
chmod - Change access permissions
chown - Change file owner and group
