Maelstorm Posted January 5, 2006 Share Posted January 5, 2006 How do I set file/folder permissions from the command line in Windows XP Pro?Title Edited - Please follow new posting rules from now on.--Zxian Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted January 5, 2006 Share Posted January 5, 2006 CACLS.EXEThis is a tool that comes with both Windows 2000 and Windows XP (as well as Server 2003). There is an extended version called XCACLS that you can grab from the MS site.C:\>CACLS /?Displays or modifies access control lists (ACLs) of filesCACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]] filename Displays ACLs. /T Changes ACLs of specified files in the current directory and all subdirectories. /E Edit ACL instead of replacing it. /C Continue on access denied errors. /G user:perm Grant specified user access rights. Perm can be: R Read W Write C Change (write) F Full control /R user Revoke specified user's access rights (only valid with /E). /P user:perm Replace specified user's access rights. Perm can be: N None R Read W Write C Change (write) F Full control /D user Deny specified user access.Wildcards can be used to specify more that one file in a command.You can specify more than one user in a command.Abbreviations: CI - Container Inherit. The ACE will be inherited by directories. OI - Object Inherit. The ACE will be inherited by files. IO - Inherit Only. The ACE does not apply to the current file/directory. Link to comment Share on other sites More sharing options...
Maelstorm Posted January 7, 2006 Author Share Posted January 7, 2006 That was exactly what I was looking for. Thanks. Link to comment Share on other sites More sharing options...
Synapse Posted January 7, 2006 Share Posted January 7, 2006 if you have xp pro i'd suggest using the GUI, its way to easy to misstype something or forget to add yourself with permissions.. then end up locking yourself out.just my suggestion. Link to comment Share on other sites More sharing options...
Sonic Posted January 8, 2006 Share Posted January 8, 2006 you can use takeown too (if I remember, from kit of windows 2k), it will allow to "retake" the owner attribute to admin ... and you can re-configure rights without problems ... I use xcacls & takeown and never problem and great for sharing data !Goodbye. Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted January 8, 2006 Share Posted January 8, 2006 I use XCACLS during my Unattended installations. It took some doing but I kinda figured out a way to keep some of the more known SpyWare and AnnoyingWare off of our PCs (we aren't allowed to run AntiSpyware software). What I do is create the folder structure where these applications normally install themselves...then I use XCACLS to remove permissions from those folders. I know it's a kludge...but it works. No more annoying WebShots installed everywhere (still not sure why they were installing that since we force the screensaver in the logon script and hide the screensaver tab on the display properties). Link to comment Share on other sites More sharing options...
Maelstorm Posted January 10, 2006 Author Share Posted January 10, 2006 (edited) I use XCACLS during my Unattended installations. It took some doing but I kinda figured out a way to keep some of the more known SpyWare and AnnoyingWare off of our PCs (we aren't allowed to run AntiSpyware software). What I do is create the folder structure where these applications normally install themselves...then I use XCACLS to remove permissions from those folders. I know it's a kludge...but it works. No more annoying WebShots installed everywhere (still not sure why they were installing that since we force the screensaver in the logon script and hide the screensaver tab on the display properties).Because Webshots is more than a screen saver. It's a image manager that works with their website and can set the background image on the desktop. I use it on my home machines. It's pretty nice for free software. Edited January 10, 2006 by Maelstorm Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted January 10, 2006 Share Posted January 10, 2006 It's still not authorized software on our workstations. Link to comment Share on other sites More sharing options...
Maelstorm Posted January 10, 2006 Author Share Posted January 10, 2006 I have another issue dealing with filesystem permissions and ACLs. The problem is that I have a directory which every user has write access. The file heirarchy is as follows:\Program Files User Installed Software Software Archive Adabas StarOffice Winamp User ID #1 Adabas StarOffice Winamp Some other user installed program User ID #2 Adabas StarOffice Winamp Some other user installed program User ID #3 Adabas StarOffice Winamp Some other user installed programThis is for programs that must be installed on a per-user basis. That's why this directory exists. Now the problem is all users must have write access to the User Installed Software directory in order for the initial logon script to create their directory and take ownership of it. They also have read only access to the Software Archive directory. I'm sure that you can see the security implications of this arrangement.I've been thinking of a solution to this problem, but I'm not coming up with anything. The main problems seems to be that the User Account management interface in the Control Panel does not offer any "hooks" so after it creates an account, it then calls a specified script to perform user specific functions before their initial logon. That would be ideal, because then the initial logon script could then just ask the user if they want to install the software.I have thought about using a command-line script to create the user id, create their software directory, set them as the owner, and give them full control of it. But the problem here is that I cannot set the owner to anyone except myself as the administrator. This means that the initial login script will have to take ownership of the directory when it runs.My questions are as follows:1) After I create the user program directory, how do I set the ownership to that user?2) Is there a way to tell the user accounts applet in the control panel to execute a script when a user is created? This should perferably work with the old Win2K user management interface.3) Is there a better way of doing this? Am I barking up the wrong tree here? Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted January 10, 2006 Share Posted January 10, 2006 If you need finer control of permissions and ownership check out SubInACL. It's another utility from MS that gives you more options. It has a steep learning curve compared to CACLS/XCACLS though.As for the other issue with write access in a subfolder where they only have read to the parent...this is very much possible. Just make sure that either "Everyone" or "Authenticated Users" (preferably) is in the "Bypass traverse checking" security option of gpedit.msc. Link to comment Share on other sites More sharing options...
Maelstorm Posted January 12, 2006 Author Share Posted January 12, 2006 I'll check that tool out. Turns out that I have the SOURCE CODE for the takeown tool. It was in the Platform SDK that I have loaded on my machine for my software development stuff. I went through the source code, and it doesn't really do what I want it to do. All it does is set the owner to the Administrator and allows everyone full control over the filesystem opbject. Link to comment Share on other sites More sharing options...
Sonic Posted January 12, 2006 Share Posted January 12, 2006 Use combination of xacls and takeown ...Personally, I use takeown first to take all hard drive present ... and after I use xacls ... Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted January 12, 2006 Share Posted January 12, 2006 TAKEOWN only gives ownership to the Administrators group or the current user. You can specify a user, but you have to know that user's password. Ths is perfect for your own account, but I believe he wants to give ownership of certain directories to the user the directory belongs to and I doubt he knows all of his users' passwords. SubInACL allows you to specify who you are giving ownership to, which I believe is what he wants to do.As an aside...if you're using Quota Management directory/file ownership management is a must. The quotas are determined by which directories/files the user is an owner of. Link to comment Share on other sites More sharing options...
Angelico_Payne Posted January 21, 2006 Share Posted January 21, 2006 Tanx that what I was looking for too. Why did Microsoft discontinue gui like interface found in Windows 2000??!!! Link to comment Share on other sites More sharing options...
FrankE9999 Posted January 21, 2006 Share Posted January 21, 2006 Xcacls.vbs is an updated version of xcacls.exe which is written in vb script. It adds new features and improved support for inheritable permissions. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now