Modify file access control permission
With the popularity of Windows XP / Server 2003, more and more users start to choose NTFS file system, NTFS is naturally great to enhance system security, under the Security tab, we can be here for different levels User sets the corresponding access control permissions, including full control, modification, reading, and running, listing folder directories, reading, writing, special permissions, you only need to be simply "allowed" and "rejection" Tick you can, click the "Advanced" button to set more special permissions, here will not say much.
In fact, in addition to setting access control permission to file or folders under the graphical user interface, we can also complete this work in the command line mode, which is particularly practical when certain reasons cannot enter the graphical user interface. Some troubles in use, but you can emergency.
First, use CACLS. EXE command This is a Windows 2000 / XP / Server 2003 operating system, you can make the Rui Rui 饔 饔 允 蛘咝 蛘咝 薷 薷 刂 刂 恚 恚 诿 刂 诿 诿 诿 诿ㄅ浞 ǘ 喔 鑫 诿 钪 付 兄 付 ǘ 鲇 鲇 缦 缦 ㄈ 缦 ㄈ 缦 缦 缦 鲇 缦 ㄈ 缦 缦?? ㄈ ㄈ 缦 缦 缦 缦 缦 缦 缦 缦 缦 缦 缦? 缦 缦 缦? 缦? 缦 缦? 缦 缦 缦 缦 缦? 缦
Cacls filename [/ t] [/ e] [/ c] [/ g useerem] [/ r userrm [...]] [/ d user [...]]
FileName: Displays the access control list (hereinafter referred to as ACL)
/ T: Change the ACL of the current directory and all the subdirectories
/ E: Edit ACL without replacing
/ C: Continue while rejecting an error
/ G useerer: perm: Give specified user access, Perm represents access rights of different levels, whose value can be R (read), w (write), c (change, write), F (full control), etc. .
/ R User: Undo the user's access to the specified user, note that the parameter is only valid when used with "/ E".
/ P User: Perm: Replace the user's access, the meaning of Perm is the same, but adds "N (NO)" option.
/ D User: Reject the user's access.
Example 1: View access control permissions for folders
For example, here we want to view access control permissions for H: / Temp folders, then just need to switch to the "Start → Run" dialog or switch to the command prompt mode, type the following command:
Cacls H: / Temp
At this point, we will see all user groups and users access control permission items for the H: / TEMP folder. The CI here is inherited by the directory, and the OI indicates that the ACE will inherit by the file, IO indicates that ACI does not apply to the current Document or directory, the letter at the end of each row represents control permissions, such as F represents full control, c represents changes, W represents writing.
If you want to see all files in this folder (including files in the subfolders) (see Figure 1), you can type "CACLS H: / TEMP." Command.
Example 2: Modifying access control permissions for folders
If you want to give a local user WZJ9999 fully controlled access to all files in the subfolder, just type the following command:
Cacls H: / Temp / T / E / C / G WZJ9999: F
Here "/ t" means that the ACL, "/ e" of all files in the subfolder is modified in the subfolder, "/ c" means "/ c" means continuing, "/ g" WZJ9999: F "means that the local user WZJ9999 is fully controlled," f "here is fully controlled, and if it is only desired to give read rights, it should be" R ".
Example 3: Undo user access control permissions
If you want to revoke the WZJ9999 user to the H: / TEMP folder and its subfolder access control permissions, you can type the following command:
Cacls H: / TEMP / T / E / C / R WZJ9999
If you just reject the user's access, you can type the following command:
Cacls H: / TEMP / T / E / C / D WZJ9999
Second, use the enhanced tool XCALS. EXE
In the Windows 2000 Resource Toolkit, Microsoft also provides a file-controlled permission modification tool called Xcacls.exe, which is more powerful than cacls.exe, which can be accessed in Windows Explorer through the command line. File System Security Option, we can download from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp, you can use it.
The syntax and parameters of the xcacls.exe command are basically the same as cacls.exe, but different is to do this by displaying and modifying the Access Control List (ACL). In addition to maintaining the original Perm permissions after the "/ g" parameter, the option of SPEC (Special Access) is added, and the "/ y" parameters are added, indicating that the confirmation prompt is prohibited when replacing user access. By default, cacls.exe is required to confirm, so when calling the cacls.exe command in the batch, the program will stop responding and wait for the correct answer to introduce the "/ y" parameter will cancel this confirmation, This way we can use the xcacls.exe command in batches.
Example 1: Viewing permissions for files or folders
In the "Start → Run" dialog or switch to the command prompt mode, please add "C: / Program Files / Resource Kit" to "System Properties → Advanced → Environment Variables" in advance, or via CD The command sets it to the current path, otherwise it will be prompted to find the file, and then type the following command:
XCacls H: / Temp
At this time, we will see the window shown in Figure 2, which can check all user groups or users access control permissions for the H: / TEMP folder, IO indicates that this ACE does not apply to the current object, and CI indicates the slave window. Inherited this ACE, OI means that the slave file will inherit the ACE, NP indicates that the slave object does not continue to propagate the inherited ACE, and the alphanuce at each row represents the permissions of the different levels, such as F indicate full control, C represents the change, W Represents write .
Example 2: Replace the ACL in the folder instead of confirmation
XCacls H: / Temp / g Administrator: RW / Y
The above command will replace all the files and folders in the H: / Temp folder, without scan the subfolders, and the user will not be required to confirm. Example 3: Give a user to the folder control permission
Xcacls H: / Temp / g WZJ9999: Rwed; RW / E
The above command will give the user WZJ9999 to read, write, run, and delete permissions in the H: / Temp folder, but it is necessary to explain that this command only gives the user's read and write permissions on the folder itself. Not including files under subfolders.
For ordinary users, the role of Cals.exe and Xcacls.exe may not be so obvious, which is especially useful in the Windows 2000 / XP / Server 2003 unmanned installation, and the administrator can set the initial setting for the folder where the operating system is located. Access rights; when you distribute the software to the server or workstation, you can also provide single-step protection with Xcacls.exe to prevent user mistakes from deleting folders or files.
