This page is an addition to the above content
Use All file system security options that are accessible in Windows Explorer can be set from the command line. This is done by displaying and modifying the access control list (ACL) of the file.
Especially useful in unattended installations of Windows 2000 Professional or Windows 2000 Server. By using this tool, you can set initial access permissions for the folder where the operating system resides. When you distribute the software to a server or workstation, a single step protection is also provided to prevent users from deleting folders or files.
Utility tools are included in the Windows 2000 Resource Kit. The corresponding script file can be downloaded from here:
Download the XCacls_Installer.exe package. Website: (/downloads/?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bda&DisplayLang=en)
grammar
cacls file name [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec [...]] [/D user [...]] [/Y]
Where the file name represents the name of the file or folder to which the ACL or Access Control Item (ACE) is typically applied. All standard wildcards are available.
/T Recursively check the current folder and all its subfolders, applying selected access permissions to the matching file or folder.
/E Edit the ACL without replacing it. For example, if you run the CACLS /G Administrator:F command, only the administrator has access to the file. All ACEs that were previously applied will be lost.
/C Makes execution continue when the "Access Denied" error message appears. If /C is not specified, execution stops when this error occurs.
/G user:perm;spec Grants the user access to matching files or folders.
The perm (permission) variable applies the specified access permissions to the file and represents the folder's special file access permission mask. The perm variable accepts the following values:
R Read
C Change (write)
F Full control
P Change permissions (Special access permissions)
O Obtain ownership (special access rights)
X Execution (Special Access Permission)
E Read (Special Access)
W write (special access permissions)
D Delete (Special Access Permission)
The spec (spec access) variable is only applied to folders, and it accepts the following special values in addition to accepting the same value as perm:
T Not specified. Sets the ACE for the directory itself, without specifying the ACE applied to the new file created in that directory. At least one access permission to follow. The terms between semicolon (;) and T will be ignored. Notice:
The access permission options for files (for folders, special files, and folder access) are exactly the same. For a detailed description of these options, see the documentation for the Windows 2000 operating system.
All other options (they can also be set in Windows Explorer) are subsets of all possible combinations of basic access. Therefore, there is no special option for folder access rights, such as LIST or READ.
/R The user calls all access rights for the specified user.
/P user:perm;spec Replace user access permissions. The rules for specifying perm and spec are the same as the /G option. See the Examples section of this article.
/D User denies the user access to files or directories.
/Y Prohibits the confirmation prompt when replacing user access rights. By default, CACLS requires confirmation. Because of this feature, when using CACLS in a batch routine, the routine stops responding and waits for the correct answer to be entered. The /Y option is introduced to eliminate this confirmation, so it can be used in batch mode.
Use View Permissions
You can also use permissions to view files or folders. For example, type cacls C:\winnt at the command prompt and press Enter. Here are typical results:
c:\WINNT BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
These ACL flags have the following meanings:
IO: Inherited only — this flag means that this ACE is not applied to the current object.
CI: Container inheritance — This flag indicates that the slave container will inherit this ACE.
OI: Object Inheritance — This flag indicates that the dependent file will inherit the ACE.
NP: No propagation — This flag indicates that the subordinate object does not continue to propagate inherited ACE.
The letters at the end of each line indicate permissions. For example:
F: Full control
C: Change
W: Write