View previous topic :: View next topic |
Author |
Message |
Microsoft-Man Just Arrived
Joined: 05 May 2003 Posts: 1
|
Posted: Mon Nov 08, 2004 8:17 pm Post subject: Set Windows Permissions from Command Line |
|
|
Hi Guys. I really need to know how to set a folder to inherit the permissions from its parent folder, i know how to do this in the gui, but can anyone tell me how to do it via the command line?
Many thanks
Cheers
Craig
|
|
Back to top |
|
|
ThePsyko SF Mod
Joined: 17 Oct 2002 Posts: 16777178 Location: California
|
Posted: Mon Nov 08, 2004 8:26 pm Post subject: |
|
|
xcacls from the resource kit will allow you to do it.
|
|
Back to top |
|
|
Microsoft-Man Just Arrived
Joined: 05 May 2003 Posts: 1
|
Posted: Mon Nov 08, 2004 8:27 pm Post subject: |
|
|
Thanks for the reply mate. I have been looking at that, but cant work the syntax out.
All i want to do it make X folder inherit permissions from its parent.
I dont supppose you know what the syntax is?
Thanks in advance
|
|
Back to top |
|
|
ThePsyko SF Mod
Joined: 17 Oct 2002 Posts: 16777178 Location: California
|
Posted: Mon Nov 08, 2004 8:36 pm Post subject: |
|
|
Hmmm... Looks like you would have to use the /t switch on the parent dir and allow it to worm it's way down. I don't see any other way offhand.
XcAcls uses the following syntax:
One Step
xcacls FileName [/t] [/e] [/x] [/c] [/g User:Permissions;Spec] [/r User] [/p User:Permissions;Spec] [...]] [/d User [...]] [/y] [/?|/h]
Parameters
FileName
Indicates the name of the file or directory to which the access control list (ACL) or access control entry (ACE) is typically applied. All standard wildcard characters can be used.
/t
Recursively walks through the current directory and all of its subdirectories, applying the chosen access rights to the matching files or directories.
/e
Edits the ACL instead of replacing it.
/x
Edits the ACL instead of replacing it; affects only the ACEs that the specified users already own.
/c
Causes XcAcls to continue if an "access denied" error occurs. If /c is omitted, XcAcls stops on this error.
/g User:Permissions;Spec
Grants User access to the matching file or directory. Permissions apply the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:
Value Description
R Read
C Change (write)
F Full Control
P Change Permissions (special access)
O Take Ownership (special access)
X Execute (special access)
E Read (Special access)
W Write (Special access)
D Delete (Special access)
T Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value)
Notes
* The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Shared resource permissions in Help and Support Services.
* All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.
/r User
Revokes all access rights for the specified user.
/p User:Permissions;Spec
Replaces access rights for User. Permissions applies the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:
Value Description
R Read
C Change (write)
F Full Control
P Change Permissions (special access)
O Take Ownership (special access)
X Execute (special access)
E Read (special access)
W Write (special access)
D Delete (special access)
T Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value.)
Notes
* The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Shared resource permissions in Help and Support Services.
* All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.
/d User
Denies the specified user access to the file or directory.
/y
Disables the confirmation when replacing user access rights. By default, XcAcls asks for confirmation. Because of this feature, when XcAcls is used in a batch routine, the routine stops responding until the right answer is entered. Use the /y parameter when you use XcAcls in batch mode.
|
|
Back to top |
|
|
Microsoft-Man Just Arrived
Joined: 05 May 2003 Posts: 1
|
Posted: Mon Nov 08, 2004 8:44 pm Post subject: |
|
|
Thanks for the reply
i am typing
C:\>xcacls c:\test\1 /t
c:\test\1 LONDON\cjw:(OI)(CI)F
But it does not seem to be applying the permisssions to directory 1 that are set in directory test
Any ideas?
|
|
Back to top |
|
|
ThePsyko SF Mod
Joined: 17 Oct 2002 Posts: 16777178 Location: California
|
Posted: Mon Nov 08, 2004 8:55 pm Post subject: |
|
|
I don't have a copy of xcacls available so I can't test it, but I would think that you'd need to use the /g switch as well - apply the same permissions to c:\test that already exist, but use the /t switch to copy them down the line?
|
|
Back to top |
|
|
Microsoft-Man Just Arrived
Joined: 05 May 2003 Posts: 1
|
Posted: Mon Nov 08, 2004 9:29 pm Post subject: |
|
|
I think i have got it to work now. How can i set groups in the ACL,
When i type
C:\>xcacls c:\test\1 /g london\test:f administrator:f system:f /c /y
it puts all the users in but not the group test
Any ideas?
Thanks in advance
|
|
Back to top |
|
|
Microsoft-Man Just Arrived
Joined: 05 May 2003 Posts: 1
|
Posted: Mon Nov 08, 2004 9:29 pm Post subject: |
|
|
dont worry, it now works
Thanks
|
|
Back to top |
|
|
ThePsyko SF Mod
Joined: 17 Oct 2002 Posts: 16777178 Location: California
|
Posted: Mon Nov 08, 2004 9:33 pm Post subject: |
|
|
what was the final solution?
|
|
Back to top |
|
|
Microsoft-Man Just Arrived
Joined: 05 May 2003 Posts: 1
|
Posted: Tue Nov 09, 2004 12:19 am Post subject: |
|
|
If anyone could still let me know how to inherit permissions via this tool that would be great.
Thanks in advance
|
|
Back to top |
|
|
Crazy Just Arrived
Joined: 11 Nov 2003 Posts: 6
|
|
Back to top |
|
|
burnhard Just Arrived
Joined: 17 Nov 2004 Posts: 0
|
Posted: Wed Nov 17, 2004 10:50 am Post subject: |
|
|
hi,
i read the microsoft article but it can`t help me to know how to set the inherit flag. I don`t know if your problem is the same es mine. What i want to do is to set the inherit flag, seen in the advanced security settings in the explorer. As I wrote I can't find a solution in the microsoft article.
If you can tell me how you done it, i would be very thankful.
thanks, Bernhard
|
|
Back to top |
|
|
dereko04011 Just Arrived
Joined: 13 Oct 2004 Posts: 0 Location: Brunswick, ME
|
Posted: Thu Nov 18, 2004 4:48 am Post subject: |
|
|
you could just do the 'cacls' command in command prompt, i think it works i never used it though. Thanks for posting this topic i was wondering on ways how to do permissions
|
|
Back to top |
|
|
burnhard Just Arrived
Joined: 17 Nov 2004 Posts: 0
|
Posted: Thu Nov 18, 2004 9:18 am Post subject: |
|
|
Hi,
my problem is not how to open cacls.exe. My problem is how to change the inherit settings with cacls or xcacls
|
|
Back to top |
|
|
AdamV SF Mod
Joined: 06 Oct 2004 Posts: 24 Location: Leeds, UK
|
Posted: Thu Nov 18, 2004 6:00 pm Post subject: |
|
|
are you trying to force them to inherit but retain some of the old ACL as well, rather than (as the GUI does) replacing completely with an inherited set?
I'm especially interested in this thread because we have a similar issue with our users' profiles and homes at the moment. Many are set up wrong and do not have the user with permissions to their own folder. This is OK as long as they are on server1 and inheriting from a parent folder with wide-open permissions ("Authenticated users in this case). We need to add the user permission to every folder (by hand or CACLS), then change the root and let the existing inheritance take this permission down the structure. Real PITA. This "works" as far as users are concerned but opens a back door to information which I find unacceptable. It also means that when we use FRS to replicate from server1 to server2 they take the implied permission set (ACL) with them rather than the "property" of inheritance so things start to go wrong.
As an exercise to see what it is doing, try copying a file or folder which inherits from its parent, to a folder with different permissions - the original set of permissions will be in force, not a set inherited from the new parent.
<NEWS FLASH> Brainwave! when you then change the new parent's permissions they are now inherited to the step-children that previously did not pick up. This doesn't necessarily help fix our problems but it explains the behaviour better - the "property" of inheritance does follow the file, but the ACL only updates if the parent changes, but then all explicit permissions are lost, just like if you force inheritance from above in the GUI. Damn,
So, the big question here is: are you trying to get an "inheritance only" model or do you need a combined "inheritance plus explicit" model??
|
|
Back to top |
|
|
|