Shulou(Shulou.com)06/03 Report--

This article mainly shows you "how to use vbs to set advanced NTFS permissions", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to use vbs to set advanced NTFS permissions" this article.

Microsoft provides an updated version of the Extended Change Access Control List (extended change access Control list) tool (Xcacls.exe) as a Microsoft Visual Basic script (Xcacls.vbs). This article describes step by step how to use Xcacls.vbs scripts to modify and view the NTFS file system permissions of a file or folder. You can use Xcacls.vbs from the command line to set all file system security options that are accessible in Microsoft Windows Explorer. Xcacls.vbs displays and modifies access control lists (ACL) for files.

Note: Xcacls.vbs is only compatible with Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003. Microsoft does not support Xcacls.vbs.

Go back to the top

Set up and use Xcacls.vbs

To set up and use Xcacls.vbs, follow these steps:

Obtain the latest version of Xcacls.vbs from the following Microsoft website:

Http://download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/XCacls_Installer.exe (http://download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/xcacls_installer.exe)

Double click "Xcacls_Installer.exe". When prompted for a location to place the extracted files, specify a folder located in your computer's search path settings (such as C:\ Windows).

Change the default script engine from Wscript to Cscript. (Xcacls.vbs scripts are best suited for running under Cscript. ) to do this, type the following at the command prompt, and then press Enter:

Cscript.exe / h:cscript

Note: changing the default script engine to Cscript only affects how the script is written to the screen. Wscript writes each line separately according to the OK dialog box. Cscript writes each line to the command window. If you do not want to change the default script engine, you must run the script using the following command

Cscript.exe xcacls.vbs

However, if you change the default script to Cscript, you can run the script using the following command:

Xcacls.vbs

.

To view the command syntax for Xcacls.vbs, type the following command at the command prompt:

Xcacls.vbs /?

Syntax of the Xcacls.vbs command

The following xcacls.vbs /? The output of the command describes the syntax of the Xcacls.vbs command:

The code is as follows:

Usage:

XCACLS filename [/ E] [/ G user:perm;spec] [...] [/ R user [...]]

[/ F] [/ S] [/ T]

[/ P user:perm;spec [...]] [/ D user:perm;spec] [...]

[/ O user] [/ I ENABLE/COPY/REMOVE] [/ N

[/ L filename] [/ Q] [/ DEBUG]

Filename [Required] If used alone, it displays ACLs.

(Filename can be a filename, directory name or

Wildcard characters and can include the whole

Path. If path is missing, it is assumed to be

Under the current directory.)

Notes:

-Put filename in quotes if it has spaces or

Special characters such as &, $#, etc.

-If filename is a directory, all files and

Subdirectories under it will NOT be changed

Unless the / F or S is present.

/ F [Used with Directory or Wildcard] This will change all

Files under the inputted directory but will NOT

Traverse subdirectories unless / T is also present.

If filename is a directory, and / F is not used, no

Files will be touched.

/ S [Used with Directory or Wildcard] This will change all

Subfolders under the inputted directory but will NOT

Traverse subdirectories unless / T is also present.

If filename is a directory, and / S is not used, no

Subdirectories will be touched.

/ T [Used only with a Directory] Traverses each

Subdirectory and makes the same changes.

This switch will traverse directories only if the

Filename is a directory or is using wildcard characters.

/ E Edit ACL instead of replacing it.

/ G user:GUI Grant security permissions similar to Windows GUI

Standard (non-advanced) choices.

/ G user:Perm;Spec Grant specified user access rights.

(/ G adds to existing rights for user)

User: If User has spaces in it, enclose it in quotes.

If User contains # machine#, it will replace

# machine# with the actual machine name if it is a

Non-domain controller, and replace it with the

Actual domain name if it is a domain controller.

New to 3.0: User can be a string representing

The actual SID, but MUST be lead by SID#

Example: SID#S-1-5-21-2127521184-160.

(SID string shown has been shortened)

(If any user has SID# then globally all

Matches must match the SID (not name)

So if your intention is to apply changes

To all accounts that match Domain\ User

Then do not specify SID# as one of the

Users.)

GUI: Is for standard rights and can be:

Permissions...

F Full control

M Modify

X read and eXecute

L List folder contents

R Read

W Write

Note: If a; is present, this will be considered

A Perm;Spec parameter pair.

Perm: Is for "Files Only" and can be:

Permissions...

F Full control

M Modify

X read and eXecute

R Read

W Write

Advanced...

D Take Ownership

C Change Permissions

B Read Permissions

A Delete

9 Write Attributes

8 Read Attributes

7 Delete Subfolders and Files

6 Traverse Folder / Execute File

5 Write Extended Attributes

4 Read Extended Attributes

3 Create Folders / Append Data

2 Create Files / Write Data

1 List Folder / Read Data

Spec is for "Folder and Subfolders only" and has the

Same choices as Perm.

/ R user Revoke specified user's access rights.

(Will remove any Allowed or Denied ACL's for user.)

/ P user:GUI Replace security permissions similar to standard choices.

/ P user:perm;spec Replace specified user's access rights.

For access right specification see / G option.

/ P behaves like / G if there are no rights set for user.

/ D user:GUI Deny security permissions similar to standard choices.

/ D user:perm;spec Deny specified user access rights.

For access right specification see / G option.

/ D adds to existing rights for user.

/ O user Change the Ownership to this user or group.

/ I switch Inheritance flag. If omitted, the default is to not touch

Inherited ACL's. Switch can be:

ENABLE-This will turn on the Inheritance flag if

It is not on already.

COPY-This will turn off the Inheritance flag and

Copy the Inherited ACL's

Into Effective ACL's.

REMOVE-This will turn off the Inheritance flag and

Will not copy the Inherited

ACL's. This is the opposite of ENABLE.

If switch is not present, / I will be ignored and

Inherited ACL's will remain untouched.

/ L filename Filename for Logging. This can include a path name

If the file is not under the current directory.

File will be appended to, or created if it does not

Exit. Must be Text file if it exists or error will occur.

If filename is omitted, the default name of XCACLS will

Be used.

/ Q Turn on Quiet mode. By default, it is off.

If it is turned on, there will be no display to the screen.

/ DEBUG Turn on Debug mode. By default, it is off.

If it is turned on, there will be more information

Displayed and/or logged. Information will show

Sub/Function Enter and Exit as well as other important

Information.

/ SERVER servername Enter a remote server to run script against.

/ USER username Enter Username to impersonate for Remote Connections

(requires PASS switch). Will be ignored if it is for a Local Connection.

/ PASS password Enter Password to go with USER switch

(requires USER switch).

Wildcard characters can be used to specify more than one file in a command, such as:

* Any string of zero or more characters

? Any single character

You can specify more than one user in a command.

You can combine access rights.

Use Xcacls.vbs to view permissions

Xcacls.vbs can also be used to view permissions for files or folders. For example, if you have a folder named C:\ Test, type the following command at the command prompt to view folder permissions, and then press Enter:

Xcacls.vbs c:\ test

The following example is a typical result:

The code is as follows:

C:\ > XCACLS.VBS c:\ test

Microsoft (R) Windows Script Host 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Starting XCACLS.VBS (Version: 3. 4) Script at 6 Charger 10:55:21 AM

Startup directory:

"C:\ test"

Arguments Used:

Filename = "c:\ test"

*

Directory:C:\ test

Permissions:

Type Username Permissions Inheritance

Allowed BUILTIN\ Administrators Full Control This Folder, Subfolde

Allowed NT AUTHORITY\ SYSTEM Full Control This Folder, Subfolde

Allowed Domain1\ User1 Full Control This Folder Only

Allowed\ CREATOR OWNER Special (Unknown) Subfolders and Files

Allowed BUILTIN\ Users Read and Execute This Folder, Subfolde

Allowed BUILTIN\ Users Create Folders / Appe This Folder and Subfo

Allowed BUILTIN\ Users Create Files / Write This Folder and Subfo

No Auditing set

Owner:Domain1\ User1

Note: in this example, the output of the xcacls.vbs c:\ test command is consistent with the text displayed in the graphical user interface (GUI). Some of the text in the command window is incomplete.

The output also shows the version of the script, the startup directory, and the parameters used.

You can also use wildcards to display matching files in the directory. For example, if you type the following command, all files with the ".log" extension in the C:\ Test folder are displayed:

Xcacls.vbs c:\ test\ * .log

Example

The following Xcacls.vbs command provides some examples of Xcacls.vbs usage:

Xcacls.vbs c:\ test\ / g domain\ testuser1:f / f / t / e

This command edits existing permissions. It grants Domain\ TestUser1 full control of all files under C:\ Test, traverses subfolders under C:\ Test, and then changes all files found. This command does not touch the directory.

Xcacls.vbs c:\ test\ / g domain\ testuser1:f / s / l "c:\ xcacls.log"

This command replaces existing permissions. It grants Domain\ TestUser1 full control of all subfolders under C:\ Test and logs to C:\ Xcacls.log. This command does not touch the file and does not traverse the directory.

Xcacls.vbs c:\ test\ readme.txt / o "machinea\ group1"

This command changes the owner of the README file to the group MachineA\ Group1.

Xcacls.vbs c:\ test\ badcode.exe / r "machinea\ group1" / r "domain\ testuser1"

This command revokes C:\ Test\ Badcode.exe permissions for MachineA\ Group1 and Domain\ TestUser1.

Xcacls.vbs c:\ test\ subdir1 / I enable / Q

This command opens inheritance on the folder C:\ Test\ Subdir1. This command cancels any screen output.

Xcacls.vbs\\ servera\ sharez\ testpage.htm / p "domain\ group2": 14

This command connects remotely to\\ ServerA\ ShareZ by using Windows Management Instrumentation (WMI). Then get the local path used for the share, under which it changes permissions on the Testpage.htm. It leaves the existing permissions of Domain\ Group2 intact, but adds permissions 1 (read data) and 4 (read extended properties). This command relinquishes other permissions on this file because the / e switch is not used.

Xcacls.vbs d:\ default.htm / g "domain\ group2": F / server servera / user servera\ admin / pass password / e

This command uses WMI as ServerA\ Admin to remotely connect to ServerA, and then grants full permissions on Default.htm to Domain\ Group2. The existing permissions for Domain\ Group2 are lost, but other permissions on the file are retained.

The above is all the contents of the article "how to use vbs to set Advanced NTFS permissions". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.