Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
How to Use Xcacls to Modify NTFS Per Missions

How to Use Xcacls to Modify NTFS Per Missions



|Views: 1,120|Likes:
Published by lbluser

More info:

Categories:Types, Research
Published by: lbluser on Jan 19, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOC or read online from Scribd
See more
See less


How to use Xcacls.exe to modify NTFS permissions
Article ID:318754
This step-by-step article describes how to use the Extended Change Access Control List tool(Xcacls.exe) to modify and to view NTFS permissions for files or folders.You can use Xcacls.exe to set all file-system security options that are accessible in WindowsExplorer from the command line. Xcacls.exe does this by displaying and modifying the accesscontrol lists (ACLs) of files.Xcacls.exe is especially useful in unattended installations of Windows 2000 Professional or Windows2000 Server. By using this tool, you can set the initial access rights for folders in which theoperating system resides. When you distribute software to servers or workstations, Xcacls.exe alsooffers one-step protection against deletion of folders or files by users.The Xcacls.exe utility is included in the Windows 2000 Resource Kit. The Xcacls.exe utility is alsoincluded in the Windows Server 2003 Support Tools.The following file is available for download from the Microsoft Download Center:Download the XCacls_Installer.exe package now. (http://www.microsoft.com/downloads/details.aspx?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bda&DisplayLang=en)
Xcacls.exe syntax
xcacls file name [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec [...]] [/D user[...]] [/Y]where file name indicates the name of the file or folder to which the ACL or access control entry(ACE) is typically applied. All standard wildcard characters can be used.
recursively walks through the current folder and all of its subfolders, applying the chosen accessrights to the matching files or folders.
edits the ACL instead of replacing it. For example, only the administrator will have access to theTest.dat file if you run the XCACLS test.dat /G Administrator:F command. All ACEs applied earlierare lost.
causes Xcacls.exe to continue if an "access denied" error message occurs. If 
is not specified,Xcacls.exe stops on this error.
/G user:perm;spec
grants a user access to the matching file or folder.
The perm (permission) variable applies the specified access rightto files and represents the special file-access-right mask forfolders. The perm variable accepts the following values:
Change (write)
Full Control
Change Permissions (special access)
Take Ownership (special access)
EXecute (special access)
REad (Special access)
Write (Special access)
Delete (Special access)The spec (special access) variable applies only to folders andaccepts the same values as perm, with the addition of thefollowing special value:
Not Specified. Sets an ACE for the directory itself withoutspecifying an ACE that is applied to new files created in thatdirectory. At least one access right has to follow. Entriesbetween a semicolon (;) and T are ignored.
 The access options for files (for folders, special file andfolder access) are identical. For detailed explanations of these options, see the Windows 2000 operating systemdocumentation.All other options, which can also be set in Windows Explorer,are subsets of all possible combinations of the basic accessrights. Because of this, there are no special options for folderaccess rights, such as LIST or READ.
/R user
revokes all access rights for the specified user.
/P user:perm;spec
replaces access rights for user. The rules for specifying perm and spec are thesame as for the /G option. See the "Xcacls.exe examples" section.
/D user
denies user access to the file or directory.
disables confirmation when replacing user access rights. By default, CACLS asks forconfirmation. Because of this feature, when CACLS is used in a batch routine, the routine stopsresponding until the right answer is entered. The
option was introduced to avoid thisconfirmation, so that Xcacls.exe can be used in batch mode.
Use Xcacls.exe to view permissions
You can also use Xcacls.exe to view permissions for a file or folder. For example, type xcaclsC:\winnt at the command prompt, and then press ENTER. The following is a typical result:
The ACL flags have the following meanings:
: Inherit Only - This flag indicates that this ACE does not applyto the current object.
: Container Inherit - This flag indicates that subordinatecontainers will inherit this ACE.
: Object Inherit - This flag indicates that subordinate files willinherit the ACE.
: Non-Propagate - This flag indicates that the subordinateobject will not propagate the inherited ACE any further.
The letter at the end of each line indicates permission. For example:
: Full Control
: Change
: WriteXcacls.exe examplesExample 1
Type XCACLS *.* /G administrator:RW /Y at the command prompt, and then press ENTER to replacethe ACL of all files and folders in the current folder without scanning subfolders and withoutconfirmation.
Example 2
The ACEs that are added to the folder in this example also inherit ACE for new files that are createdin this folder. The command gives TestUser read, write, run, and delete rights on all new filescreated in this folder, but only read and write permissions on the folder itself. Type XCACLS *.* /GTestUser:RWED;RW /E at the command prompt, and then press ENTER.
Example 3
The following example grants read and write permissions on a folder without creating an inheritentry for new files. Therefore, in this example, new files that are created in this folder receive noACE for TestUser. For existing files, an ACE with read permissions is created. Type XCACLS *.* /GTestUser:R;RW /E at the command prompt, and then press ENTER.
NTFS permissions guidelines
The following are guidelines for assigning NTFS permissions:
Use NTFS permissions to control access to files and folders.Assign permissions to groups rather than to individual users.NTFS file permissions take priority over NTFS folder permissions.Administrators and the owner of a file or folder control whichpermissions can be set for that object.When you change folder permissions, be aware of programs thatare installed on the servers. Programs create their own foldersthat have the Allow inheritable permissions from parent to

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->