你目前正处于脱机状态,正在等待 Internet 重新连接

如何使用 Xcacls.vbs 修改 NTFS 权限

针对 Windows XP 的支持已终止

Microsoft 已于 2014 年 4 月 8 日终止了针对 Windows XP 的支持。该更改已影响到您的软件更新和安全选项。 了解这一措施对于您的含义以及如何继续保持受保护状态。

针对 Windows Server 2003 的支持已于 2015 年 7 月 14 日终止。

Microsoft 已于 2015 年 7 月 14 日终止了对于 Windows Server 2003 的支持。该更改已影响到您的软件更新和安全选项。 了解这一措施对于您的含义以及如何继续保持受保护状态。

概要
Microsoft 以 Microsoft Visual Basic 脚本 (Xcacls.vbs) 的形式提供了 Extended Change Access Control List(扩展更改访问控制列表)工具 (Xcacls.exe) 的更新版本。本文分步介绍如何使用 Xcacls.vbs 脚本修改和查看文件或文件夹的 NTFS 文件系统权限。 可以从命令行使用 Xcacls.vbs 设置所有可在 Microsoft Windows 资源管理器中访问的文件系统安全选项。Xcacls.vbs 可显示和修改文件的访问控制列表 (ACL)。

注意:Xcacls.vbs 只与 Microsoft Windows 2000、Microsoft Windows XP 和 Microsoft Windows Server 2003 兼容。Microsoft 不支持 Xcacls.vbs。

返回页首

要设置和使用 Xcacls.vbs,请按照下列步骤操作:
  1. 从以下 Microsoft 网站获得 Xcacls.vbs 的最新版本:
  2. 双击“Xcacls_Installer.exe”。当提示您提供放置提取文件的位置时,请指定一个位于计算机的搜索路径设置中的文件夹(如 C:\Windows)。
  3. 将默认脚本引擎从 Wscript 更改为 Cscript。(Xcacls.vbs 脚本最适合在 Cscript 下运行。)为此,请在命令提示符下键入以下内容,然后按 Enter:
    cscript.exe /h:cscript
    注意:将默认脚本引擎更改为 Cscript 只影响脚本向屏幕写入的方式。Wscript 根据“确定”对话框分别写入每一行。Cscript 将每一行写入命令窗口。如果您不想更改默认脚本引擎,则必须使用以下命令运行脚本
    cscript.exe xcacls.vbs
    但是,如果将默认脚本更改为 Cscript,则可以使用以下命令运行该脚本:
    xcacls.vbs
    .
  4. 要查看 Xcacls.vbs 的命令语法,请在命令提示符处键入下面的命令:
    xcacls.vbs /?
返回页首

下面 xcacls.vbs /? 命令的输出描述了 Xcacls.vbs 命令的语法:
Usage:XCACLS filename [/E] [/G user:perm;spec] [...] [/R user [...]]                [/F] [/S] [/T]                [/P user:perm;spec [...]] [/D user:perm;spec] [...]                [/O user] [/I ENABLE/COPY/REMOVE] [/N                [/L filename] [/Q] [/DEBUG]   filename            [Required] If used alone, it displays ACLs.                       (Filename can be a filename, directory name or                       wildcard characters and can include the whole                       path. If path is missing, it is assumed to be                       under the current directory.)                       Notes:                       - Put filename in quotes if it has spaces or                       special characters such as &, $, #, etc.                       - If filename is a directory, all files and                       subdirectories under it will NOT be changed                       unless the /F or S is present.   /F                  [Used with Directory or Wildcard] This will change all                       files under the inputted directory but will NOT                       traverse subdirectories unless /T is also present.                       If filename is a directory, and /F is not used, no                       files will be touched.   /S                  [Used with Directory or Wildcard] This will change all                       subfolders under the inputted directory but will NOT                       traverse subdirectories unless /T is also present.                       If filename is a directory, and /S is not used, no                       subdirectories will be touched.   /T                  [Used only with a Directory] Traverses each                       subdirectory and makes the same changes.                       This switch will traverse directories only if the                       filename is a directory or is using wildcard characters.   /E                  Edit ACL instead of replacing it.   /G user:GUI         Grant security permissions similar to Windows GUI                       standard (non-advanced) choices.   /G user:Perm;Spec   Grant specified user access rights.                       (/G adds to existing rights for user)                       User: If User has spaces in it, enclose it in quotes.                             If User contains #machine#, it will replace                             #machine# with the actual machine name if it is a                             non-domain controller, and replace it with the                             actual domain name if it is a domain controller.                             New to 3.0: User can be a string representing                             the actual SID, but MUST be lead by SID#                             Example: SID#S-1-5-21-2127521184-160...                                      (SID string shown has been shortened)                                      (If any user has SID# then globally all                                       matches must match the SID (not name)                                       so if your intention is to apply changes                                       to all accounts that match Domain\User                                       then do not specify SID# as one of the                                       users.)                       GUI: Is for standard rights and can be:                             Permissions...                                    F  Full control                                    M  Modify                                    X  read and eXecute                                    L  List folder contents                                    R  Read                                    W  Write                             Note: If a ; is present, this will be considered                             a Perm;Spec parameter pair.                       Perm: Is for "Files Only" and can be:                             Permissions...                                    F  Full control                                    M  Modify                                    X  read and eXecute                                    R  Read                                    W  Write                             Advanced...                                    D  Take Ownership                                    C  Change Permissions                                    B  Read Permissions                                    A  Delete                                    9  Write Attributes                                    8  Read Attributes                                    7  Delete Subfolders and Files                                    6  Traverse Folder / Execute File                                    5  Write Extended Attributes                                    4  Read Extended Attributes                                    3  Create Folders / Append Data                                    2  Create Files / Write Data                                    1  List Folder / Read Data                       Spec is for "Folder and Subfolders only" and has the                       same choices as Perm.   /R user             Revoke specified user's access rights.                       (Will remove any Allowed or Denied ACL's for user.)   /P user:GUI         Replace security permissions similar to standard choices.   /P user:perm;spec   Replace specified user's access rights.                       For access right specification see /G option.                       (/P behaves like /G if there are no rights set for user.)   /D user:GUI         Deny security permissions similar to standard choices.   /D user:perm;spec   Deny specified user access rights.                       For access right specification see /G option.                       (/D adds to existing rights for user.)   /O user             Change the Ownership to this user or group.   /I switch           Inheritance flag.  If omitted, the default is to not touch                       Inherited ACL's. Switch can be:                          ENABLE - This will turn on the Inheritance flag if                                   it is not on already.                          COPY   - This will turn off the Inheritance flag and                                   copy the Inherited ACL's                                   into Effective ACL's.                          REMOVE - This will turn off the Inheritance flag and                                   will not copy the Inherited                                   ACL's.  This is the opposite of ENABLE.                          If switch is not present, /I will be ignored and                          Inherited ACL's will remain untouched.   /L filename         Filename for Logging. This can include a path name                       if the file is not under the current directory.                       File will be appended to, or created if it does not                       exit. Must be Text file if it exists or error will occur.                       If filename is omitted, the default name of XCACLS will                       be used.   /Q                  Turn on Quiet mode.  By default, it is off.                       If it is turned on, there will be no display to the screen.   /DEBUG              Turn on Debug mode. By default, it is off.                       If it is turned on, there will be more information                       displayed and/or logged. Information will show                       Sub/Function Enter and Exit as well as other important                       information.   /SERVER servername  Enter a remote server to run script against.   /USER username      Enter Username to impersonate for Remote Connections                            (requires PASS switch).  Will be ignored if it is for a Local Connection.   /PASS password      Enter Password to go with USER switch                            (requires USER switch).Wildcard characters can be used to specify more than one file in a command, such as:                                *       Any string of zero or more characters                                ?       Any single characterYou can specify more than one user in a command.You can combine access rights.


返回页首


Xcacls.vbs 还可用于查看文件或文件夹的权限。例如,如果您有一个名为 C:\Test 的文件夹,在命令提示符处键入以下命令以查看文件夹权限,然后按 Enter:
xcacls.vbs c:\test
下面的示例是一个典型结果:
C:\>XCACLS.VBS c:\testMicrosoft (R) Windows Script Host 5.6版权所有 (C) Microsoft Corporation 1996-2001。保留所有权利。Starting XCACLS.VBS (Version: 3.4) Script at 6/11/2003 10:55:21 AMStartup directory:"C:\test"Arguments Used:Filename = "c:\test"**************************************************************************Directory:C:\testPermissions:Type     Username                Permissions           InheritanceAllowed  BUILTIN\Administrators  Full Control          This Folder, SubfoldeAllowed  NT AUTHORITY\SYSTEM     Full Control          This Folder, SubfoldeAllowed  Domain1\User1           Full Control          This Folder OnlyAllowed  \CREATOR OWNER          Special (Unknown)     Subfolders and FilesAllowed  BUILTIN\Users           Read and Execute      This Folder, SubfoldeAllowed  BUILTIN\Users           Create Folders / Appe This Folder and SubfoAllowed  BUILTIN\Users           Create Files / Write  This Folder and SubfoNo Auditing setOwner:Domain1\User1


注意:在该示例中,xcacls.vbs c:\test 命令的输出与显示在图形用户界面 (GUI) 的文本一致。命令窗口的一些文字不完整。

输出还给出了脚本的版本、启动目录和使用的参数。

您还可以使用通配符来显示目录下匹配的文件。例如,如果键入以下命令,将会显示 C:\Test 文件夹中所有具有“.log”扩展名的文件:
xcacls.vbs c:\test\*.log
返回页首


下列 Xcacls.vbs 命令提供 Xcacls.vbs 用法的一些示例:

xcacls.vbs c:\test\ /g domain\testuser1:f /f /t /e
该命令可编辑现有权限。它授予 Domain\TestUser1 完全控制 C:\Test 下所有文件的权限,遍历 C:\Test 下的子文件夹,然后更改找到的所有文件。该命令不触及目录。
xcacls.vbs c:\test\ /g domain\testuser1:f /s /l "c:\xcacls.log"
该命令可替换现有权限。它授予 Domain\TestUser1 完全控制 C:\Test 下所有子文件夹的权限,而且记录到 C:\Xcacls.log。该命令不触及文件,并且不遍历目录。
xcacls.vbs c:\test\readme.txt /o "machinea\group1"
该命令将自述文件的所有者更改为组 MachineA\Group1。
xcacls.vbs c:\test\badcode.exe /r "machinea\group1" /r "domain\testuser1"
该命令撤消 MachineA\Group1 和 Domain\TestUser1 的 C:\Test\Badcode.exe 权限。
xcacls.vbs c:\test\subdir1 /i enable /q
该命令将打开文件夹 C:\Test\Subdir1 上的继承。该命令将取消任何屏幕输出。
xcacls.vbs \\servera\sharez\testpage.htm /p "domain\group2":14
此命令通过使用 Windows Management Instrumentation (WMI) 远程连接到 \\ServerA\ShareZ。然后获取用于该共享的本地路径,在该路径下,它更改 Testpage.htm 上的权限。它原封保留 Domain\Group2 的现有权限,但是添加权限 1(读取数据)和权限 4(读取扩展属性)。该命令放弃此文件上的其他权限,原因是未使用 /e 开关。
xcacls.vbs d:\default.htm /g "domain\group2":f /server servera /user servera\admin /pass password /e
该命令使用 WMI 作为 ServerA\Admin 远程连接到 ServerA,然后将 Default.htm 上的完全权限授予 Domain\Group2。Domain\Group2 的现有权限丢失,但保留文件上的其他权限。
返回页首
参考
有关如何使用 Xcacls.exe 其他信息,请单击下面的文章编号,以查看 Microsoft 知识库中相应的文章:
318754如何使用 Xcacls.exe 修改 NTFS 权限
属性

文章 ID:825751 - 上次审阅时间:11/07/2005 07:04:00 - 修订版本: 2.3

  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP Professional Edition
  • Microsoft Windows XP Home Edition
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • kbhowtomaster KB825751
反馈