BUILTIN\Power Users:(OI)(CI)(IO)CBUILTIN\Administrators:FBUILTIN\Administrators:(OI)(CI)(IO)FNT AUTHORITY\SYSTEM:FNT AUTHORITY\SYSTEM:(OI)(CI)(IO)FBUILTIN\Administrators:FCREATOR OWNER:(OI)(CI)(IO)F
The ACL flags have the following meanings:
: Inherit Only - This flag indicates that this ACE does not applyto the current object.•
: Container Inherit - This flag indicates that subordinatecontainers will inherit this ACE.•
: Object Inherit - This flag indicates that subordinate files willinherit the ACE.•
: Non-Propagate - This flag indicates that the subordinateobject will not propagate the inherited ACE any further.
The letter at the end of each line indicates permission. For example:
: Full Control•
: WriteXcacls.exe examplesExample 1
Type XCACLS *.* /G administrator:RW /Y at the command prompt, and then press ENTER to replacethe ACL of all files and folders in the current folder without scanning subfolders and withoutconfirmation.
The ACEs that are added to the folder in this example also inherit ACE for new files that are createdin this folder. The command gives TestUser read, write, run, and delete rights on all new filescreated in this folder, but only read and write permissions on the folder itself. Type XCACLS *.* /GTestUser:RWED;RW /E at the command prompt, and then press ENTER.
The following example grants read and write permissions on a folder without creating an inheritentry for new files. Therefore, in this example, new files that are created in this folder receive noACE for TestUser. For existing files, an ACE with read permissions is created. Type XCACLS *.* /GTestUser:R;RW /E at the command prompt, and then press ENTER.
NTFS permissions guidelines
The following are guidelines for assigning NTFS permissions:
•Use NTFS permissions to control access to files and folders.•Assign permissions to groups rather than to individual users.•NTFS file permissions take priority over NTFS folder permissions.•Administrators and the owner of a file or folder control whichpermissions can be set for that object.•When you change folder permissions, be aware of programs thatare installed on the servers. Programs create their own foldersthat have the Allow inheritable permissions from parent to