文章編號: 318754 - 檢視此文章適用的產品。
This step-by-step article describes how to use the Extended Change Access Control List tool (Xcacls.exe) to modify and view NTFS permissions for files or folders.
You can use Xcacls.exe to set all file-system security options that are accessible in Windows Explorer from the command line. Xcacls.exe does this by displaying and modifying the access control lists (ACLs) of files.
Xcacls.exe is especially useful in unattended installations of Windows 2000 Professional or Windows 2000 Server. By using this tool, you can set the initial access rights for folders in which the operating system resides. When you distribute software to servers or workstations, Xcacls.exe also offers one-step protection against deletion of folders or files by users.
The Xcacls.exe utility is included in the Windows 2000 Resource Kit. The following file is available for download from the Microsoft Download Center:
Download the XCacls_Installer.exe package now.
xcacls file name [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec [...]] [/D user [...]] [/Y]where file name indicates the name of the file or folder to which the ACL or access control entry (ACE) is typically applied. All standard wildcard characters can be used.
/T recursively walks through the current folder and all of its subfolders, applying the chosen access rights to the matching files or folders.
/E edits the ACL instead of replacing it. For example, only the administrator will have access to the Test.dat file if you run the XCACLS test.dat /G Administrator:F command. All ACEs applied earlier are lost.
/C causes Xcacls.exe to continue if an "access denied" error message occurs. If /C is not specified, Xcacls.exe stops on this error.
/G user:perm;spec grants a user access to the matching file or folder.
/P user:perm;spec replaces access rights for user. The rules for specifying perm and spec are the same as for the /G option. See the "Xcacls.exe examples" section of this article.
/D user denies user access to the file or directory.
/Y disables confirmation when replacing user access rights. By default, CACLS asks for confirmation. Because of this feature, when CACLS is used in a batch routine, the routine stops responding until the right answer is entered. The /Y option was introduced to avoid this confirmation, so that Xcacls.exe can be used in batch mode.
xcacls C:\winnt at the command prompt, and then press ENTER. The following is a typical result:
The ACL flags have the following meanings:
c:\WINNT BUILTIN\Users:R BUILTIN\Users:(OI)(CI)(IO)(special access:) GENERIC_READ GENERIC_EXECUTE BUILTIN\Power Users:C BUILTIN\Power Users:(OI)(CI)(IO)C BUILTIN\Administrators:F BUILTIN\Administrators:(OI)(CI)(IO)F NT AUTHORITY\SYSTEM:F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F BUILTIN\Administrators:F CREATOR OWNER:(OI)(CI)(IO)F
Example 1Type XCACLS *.* /G administrator:RW /Y at the command prompt, and then press ENTER to replace the ACL of all files and folders in the current folder without scanning subfolders and without confirmation.
Example 2The ACEs that are added to the folder in this example also inherit ACE for new files that are created in this folder. The command gives TestUser read, write, run, and delete rights on all new files created in this folder, but only read and write permissions on the folder itself. Type XCACLS *.* /G TestUser:RWED;RW /E at the command prompt, and then press ENTER.
Example 3The following example grants read and write permissions on a folder without creating an inherit entry for new files. Therefore, in this example, new files that are created in this folder receive no ACE for TestUser. For existing files, an ACE with read permissions is created. Type XCACLS *.* /G TestUser:R;RW /E at the command prompt, and then press ENTER.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/245015/ )How to: Print folder and file permissions from one folder
(http://support.microsoft.com/kb/135268/ )How to use CACLS.EXE in a batch file
文章編號: 318754 - 上次校閱: 2006年6月6日 - 版次: 4.0