Modifying File Access Control Permissions under Windows Command Line

With the popularity of Windows XP/Server 2003, more and more users are choosing NTFS file system. The benefits of NTFS naturally greatly enhance the security of the system. Under the "Security" tab, we can set the appropriate access control permissions for different levels of users here, including full control, modification, reading and running, listing folder directories, reading, writing, special permissions. Wait, you just need to simply check the "Allow" and "Reject" & clicks, click the “Advanced” button to set more special permissions, not to mention here.

In fact, in addition to setting the access control permissions for files or folders under the graphical user interface, we can also do this in the command line mode, which is unable to enter the graphical user for some reason. The interface is especially useful, although it is a bit cumbersome to use, but it can be urgent.

First, use Cacls. Exe command

This is a command that can be used under the Windows 2000/XP/Server 2003 operating system. It is used to display or modify the file access control list. You can use the wildcard to specify multiple files in the command. You can also specify multiple users in the command. The command syntax is as follows:

Cacls filename [/T] [/E] [/C] [/G usererm] [/R user [...]] [/P usererm [...]] [ ,null,null,3],/D user [...]]

Filename: Display access control list (hereinafter referred to as ACL)

/T: Change the ACL of the specified file in the current directory and all its subdirectories. >

/E: Edit ACL without replacing

/C: Continue when an access denied error occurs

/G Userer:perm: Gives the specified user access rights, Perm stands for different levels Access rights, the value can be R (read), W (write), C (change, write), F (full control) and so on.

/R user: Undo the access rights of the specified user. Note that this parameter is only valid when used with “/E”.

/P user:perm: replaces the access rights of the specified user. Perm has the same meaning as before, but has the option of "N(none)”.

/D user: Denies access to the specified user.

Example 1: Viewing the access control permissions of a folder

For example, here we want to view the access control permissions of the h: emp folder, then only need to start → run” In the dialog box or switch to the command prompt mode, type the following command: Cacls h: emp

At this point, we will see the access control permission items for all user groups and users on the h: emp folder, here The CI indicates that the ACE will be inherited by the directory. The OI indicates that the ACE will be inherited by the file. The IO indicates that the ACI does not apply to the current file or directory. The letters at the end of each line indicate control permissions. For example, F indicates full control, C indicates change, and W indicates write. In.

If you want to view access control permissions for all files in this folder (including those in subfolders), you can type the “Cacls h: emp .” command.

Instance 2: Modify the access control permissions of the folder

If you want to give the local user wzj9999 full control over the access permissions of all files in the h: emp folder and subfolders, just type The following command:

Cacls h: emp /t /e /c /g wzj9999:f

Here “/t” means to modify the ACL of all files in the folder and subfolders , “/e” indicates that only editing work is not replaced, “/c” means to continue in the event of a denial of access error, and “/g wzj9999:f” means to give local user wzj9999 full control, here "f” represents full control, if you only want to give read access, then it should be “r”.

Example 3: Revoke User Access Control Rights

If you wish to revoke access control permissions for the h: emp folder and its subfolders, you can type the following command:

cacls h: emp /t /e /c /r wzj9999

If you just deny user access, you can type the following command:

cacls h: emp /t /e /c /d wzj9999

Second, use the enhancement tool xcals. Exe

In the Windows 2000 Resource Kit, Microsoft also provides a file control permission modification tool called xcacls.exe, which is more powerful than cacls.exe and can be set through the command line. The file system security options accessed in Windows Explorer can be downloaded from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp and can be used after installation.

The syntax and parameters of the xcacls.exe command are basically the same as cacls.exe, but the difference is that it does this by displaying and modifying the file's access control list (ACL). In addition to maintaining the original perm permission after the “/g” parameter, the spec (special access permission) option has been added, and the parameter of “/y” has been added to indicate that it is forbidden to replace the user access right. Confirm the prompt, and by default, cacls.exe is required to confirm, so when the cacls.exe command is called in the batch, the program will stop responding and wait for the correct answer. After the introduction of the “/y” parameter will cancel This confirms so that we can use the xcacls.exe command in the batch.

Instance 1: Viewing the permissions of a file or folder

In the &Startquo;start →run” dialog or switch to the command prompt mode, please be careful to leave “c: Program files esource kit”Add to “system property→advanced →environment variable →system variable", or set it to the current path by cd command, otherwise you will be prompted to find the file, then type the following command:

xcacls h: emp

At this point, you can view the access control permissions of all user groups or users on the h: emp folder, io means that this ace is not applied to the current object, ci means The slave window will inherit this ace, oi means that the dependent file will inherit the ace, np means that the dependent object does not continue to propagate the inherited ace, and the letters at the end of each line represent different levels of permissions, such as f for full control, c for change, w Indicates writing.

Instance 2: Replace the acl in the folder without confirming

xcacls h: emp /g administrator:rw/y

The above command will replace the h: emp folder The acl of all files and folders, without scanning subfolders, does not require user confirmation.

Example 3: Give a user control over a folder

xcacls h: emp /g wzj9999:rwed;rw /e

The above command will give the user wzj9999 h: Read, write, run, and delete permissions for all newly created files in the emp folder, but it should be noted that this command only gives the user read and write permissions to the folder itself, not including subfolders. document.

For ordinary users, the role of cals.exe and xcacls.exe may not be so obvious, which is especially useful in the unattended installation of windows 2000/xp/server 2003, the administrator can be the operating system The folder in which it is located sets initial access rights; when distributing software to a server or workstation, xcacls.exe can also be used to provide single-step protection to prevent users from accidentally deleting folders or files.