[Maelstorm]

How do I set file/folder permissions from the command line in Windows XP Pro?


Title Edited - Please follow new posting rules from now on.
--Zxian

[nmX.Memnoch]

CACLS.EXE

This is a tool that comes with both Windows 2000 and Windows XP (as well as Server 2003). There is an extended version called XCACLS that you can grab from the MS site.

C:\>CACLS /?
Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
			   [/P user:perm [...]] [/D user [...]]
   filename	  Displays ACLs.
   /T			Changes ACLs of specified files in
				 the current directory and all subdirectories.
   /E			Edit ACL instead of replacing it.
   /C			Continue on access denied errors.
   /G user:perm  Grant specified user access rights.
				 Perm can be: R  Read
							  W  Write
							  C  Change (write)
							  F  Full control
   /R user	   Revoke specified user's access rights (only valid with /E).
   /P user:perm  Replace specified user's access rights.
				 Perm can be: N  None
							  R  Read
							  W  Write
							  C  Change (write)
							  F  Full control
   /D user	   Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

Abbreviations:
   CI - Container Inherit.
		The ACE will be inherited by directories.
   OI - Object Inherit.
		The ACE will be inherited by files.
   IO - Inherit Only.
		The ACE does not apply to the current file/directory.

[Maelstorm]

That was exactly what I was looking for. Thanks.

[Synapse]

if you have xp pro i'd suggest using the GUI, its way to easy to misstype something or forget to add yourself with permissions.. then end up locking yourself out.

just my suggestion.

[Sonic]

you can use takeown too (if I remember, from kit of windows 2k), it will allow to "retake" the owner attribute to admin ... and you can re-configure rights without problems ... I use xcacls & takeown and never problem and great for sharing data !
Goodbye.

[nmX.Memnoch]

I use XCACLS during my Unattended installations. It took some doing but I kinda figured out a way to keep some of the more known SpyWare and AnnoyingWare off of our PCs (we aren't allowed to run AntiSpyware software). What I do is create the folder structure where these applications normally install themselves...then I use XCACLS to remove permissions from those folders. I know it's a kludge...but it works. No more annoying WebShots installed everywhere (still not sure why they were installing that since we force the screensaver in the logon script and hide the screensaver tab on the display properties).

[Maelstorm]

nmX.Memnoch, on Jan 7 2006, 06:52 PM, said:

I use XCACLS during my Unattended installations. It took some doing but I kinda figured out a way to keep some of the more known SpyWare and AnnoyingWare off of our PCs (we aren't allowed to run AntiSpyware software). What I do is create the folder structure where these applications normally install themselves...then I use XCACLS to remove permissions from those folders. I know it's a kludge...but it works. No more annoying WebShots installed everywhere (still not sure why they were installing that since we force the screensaver in the logon script and hide the screensaver tab on the display properties).

Because Webshots is more than a screen saver. It's a image manager that works with their website and can set the background image on the desktop. I use it on my home machines. It's pretty nice for free software.

This post has been edited by Maelstorm: 09 January 2006 - 07:55 PM

[nmX.Memnoch]

It's still not authorized software on our workstations.

[Maelstorm]

I have another issue dealing with filesystem permissions and ACLs. The problem is that I have a directory which every user has write access. The file heirarchy is as follows:

\Program Files
	User Installed Software
		Software Archive
			Adabas
			StarOffice
			Winamp
		User ID #1
			Adabas
			StarOffice
			Winamp
			Some other user installed program
		User ID #2
			Adabas
			StarOffice
			Winamp
			Some other user installed program
		User ID #3
			Adabas
			StarOffice
			Winamp
			Some other user installed program

This is for programs that must be installed on a per-user basis. That's why this directory exists. Now the problem is all users must have write access to the User Installed Software directory in order for the initial logon script to create their directory and take ownership of it. They also have read only access to the Software Archive directory. I'm sure that you can see the security implications of this arrangement.

I've been thinking of a solution to this problem, but I'm not coming up with anything. The main problems seems to be that the User Account management interface in the Control Panel does not offer any "hooks" so after it creates an account, it then calls a specified script to perform user specific functions before their initial logon. That would be ideal, because then the initial logon script could then just ask the user if they want to install the software.

I have thought about using a command-line script to create the user id, create their software directory, set them as the owner, and give them full control of it. But the problem here is that I cannot set the owner to anyone except myself as the administrator. This means that the initial login script will have to take ownership of the directory when it runs.

My questions are as follows:

1) After I create the user program directory, how do I set the ownership to that user?

2) Is there a way to tell the user accounts applet in the control panel to execute a script when a user is created? This should perferably work with the old Win2K user management interface.

3) Is there a better way of doing this? Am I barking up the wrong tree here?

[nmX.Memnoch]

If you need finer control of permissions and ownership check out SubInACL. It's another utility from MS that gives you more options. It has a steep learning curve compared to CACLS/XCACLS though.

As for the other issue with write access in a subfolder where they only have read to the parent...this is very much possible. Just make sure that either "Everyone" or "Authenticated Users" (preferably) is in the "Bypass traverse checking" security option of gpedit.msc.

[Maelstorm]

I'll check that tool out. Turns out that I have the SOURCE CODE for the takeown tool. It was in the Platform SDK that I have loaded on my machine for my software development stuff. I went through the source code, and it doesn't really do what I want it to do. All it does is set the owner to the Administrator and allows everyone full control over the filesystem opbject.

[Sonic]

Use combination of xacls and takeown ...
Personally, I use takeown first to take all hard drive present ... and after I use xacls ...

[nmX.Memnoch]

TAKEOWN only gives ownership to the Administrators group or the current user. You can specify a user, but you have to know that user's password. Ths is perfect for your own account, but I believe he wants to give ownership of certain directories to the user the directory belongs to and I doubt he knows all of his users' passwords.

SubInACL allows you to specify who you are giving ownership to, which I believe is what he wants to do.

As an aside...if you're using Quota Management directory/file ownership management is a must. The quotas are determined by which directories/files the user is an owner of.

[Angelico_Payne]

Tanx that what I was looking for too.

Why did Microsoft discontinue gui like interface found in Windows 2000??!!!

[FrankE9999]

Xcacls.vbs is an updated version of xcacls.exe which is written in vb script. It adds new features and improved support for inheritable permissions.

[prp8683]

nmX.Memnoch, on Jan 9 2006, 10:20 PM, said:

As for the other issue with write access in a subfolder where they only have read to the parent...this is very much possible. Just make sure that either "Everyone" or "Authenticated Users" (preferably) is in the "Bypass traverse checking" security option of gpedit.msc.

No need for this; traverse checking merely verifies that the user has Traverse Folder (execute) permissions for the parents; it doesn't check read/write or other permissions. Also, it's on by default for Everyone, and removing that entry breaks things. (the default permissions aren't set up to be compatible with this, and from what I've read, the traverse checking algorithms are broken in recent releases. At the very least, SYSTEM requires this right or bad things happen.)

All that is required is to configure READ access on the parent, then add write access to the child. (Note that if an explicit DENY ACL for write access is attached to the parent folder, ACL inheritance must be disabled for the child, or the DENY will be inherited and override the ALLOW.)