Q834721 - Permissions on Folder are incorrectly ordered
Q943043 - Icacls.exe does not support inheritance
Q245031 - Change Registry Permissions (RegIni)
Q220167 - Understanding Container Access Inheritance Flags
ACL utils: SetACL or FileACL (free)
Equivalent bash command (Linux): chmod / chown - Change file permissions/owner and group
Source SteelWerx (sw)
Bobby Flekmann: Otherwise you can use a program I've written which is an adaptation of the XCACLS.vbs. http://www.xs4all.nl/~fstaal01/swxcacls-us.html
I've even made this particular problem easier with implementing a /RESET switch.
There are a lot of malicious software with the same name swxcacls.exe (dangerous!)
Disable the script host in windows!
- Windows created a few User groups when it got installed. These User groups are easy ways to finetune accessrights. You can make it so that Administrators have full access, and the rest can only read the file. There are many pre-defined groups, but for us these are the most interesting: Administrators, Users, Power Users and Everyone. Everyone is part of at least one Usergroup, namely Everyone. So, to take our previous example, if you are not part of the Administrators group, you can only read the file.
- Every file is created sometime on the computer, ergo every file has a creator. The creator is the one that has ultimate access to the file. (S)He can decide who has access, and to what level. This person is known as the Owner of the object.
- Permissions are actions you can do on an object, like read a file, stop a service, delete a Registry key. There are two types of permissions, the ones that are specific to the object, like stopping a service, or writing a file. And there are very generic rights. These generic rights are widely used, because they use
simple names, like Read or Execute,to refer to specific sets of permissions to the object.
Whether you want to delete a file, a Registry key or a service, it is still deleting, right? Another thing to understand is that these generic rights can contain different specific rights, you cannot stop a Registry key, or enumerate subkeys on a service.
- Almost every file is in a subfolder, so it stands to reason that every file in a folder has the same permissions as the folder, which is in turn in another folder, so it stands to reason it has the same permissions at that folder, which..... You get the point. How do you do this? Beginning with Windows 2000 a new inheritance scheme was devised that automatically propagated all the rights from parents (the folder you are in) to the children (the files and folders in this folder). Before Windows 2000 though, every permission had to be copied down to every file and every folder under it. So if you changed one thing you ran the risk it would not reach the bottom of the chain, making the permissions unstable.
- Even though you are denied certain permissions, some Usergroups still have a possiblilty to do things to an object. Just think of Backup Operators, even though no one but you have access to your files, they can still make a backup of them. These extra rights are called privileges, and are mostly a nice addition to your possible actions. There will be more on privileges later.
- And the last thing to get to know is the Security IDentifier, also known as the SID. A SID is a thing that identifies you uniquely on a system. To Windows you are not a user, you are just a number, and this number is the reason that you can have multiple users on a system with the same name. This is not smart, but it is possible! It is also the reason why people will get locked out of files if they delete an account and make a new one with the same name. They get a different SID. Another thing to remember is that there are these predefined groups I mentioned earlier; they also have predefined SIDs. This way a user can be a part of the Users group in English countries and be a part of Gebruikers in Dutch countries!
- * - Any string of zero or more characters
- ? - Any single character
|User||If User has spaces in it, surround it in quotes.
User can be a string representing the actual SID, but MUST be lead by SID#
(SID string shown has been shortened)
(If any user has SID# then globaly all matches must match the SID (not name), so if your intention is to apply changes to all accounts that match User then do not specify SID# as one of the users)
|GUI||Is for standard rights and can be:
|Spec||Is for specific rights and can be:
|Inh||Inheritance override. For possible choices see /SPEC switch.
This is new in comparison to the script. The original script only gave you the opportunity to state an inheritance scheme that would be applied to everyone.This way you can give someone a different inheritance scheme to the rest.
- A - Administrators
- U - (Limited) Users
- G - Guests
- O - Owner
- P - (Power) Users
- S - Local System
- E - Everyone
- M - Current User
- ENABLE - This will turn on the Inheritance Flag if its not on already. The net result is that Inherited ACLs become active on the file/folder
- COPY - This will turn off the Inheritance flag and copy the Inherited ACLs into Effective ACLs
- REMOVE - This will turn off the Inheritance flag and will not copy the Inherited ACLs, this is the opposite of ENABLE
- A - This Folder Only
- B - This Folder, Subfolders and Files (Default)
- C - This Folder and Subfolders
- D - This Folder and Files
- E - Subfolders and Files Only
- F - Subfolders Only
- G - Files Only
SWReg - freeware implementation of Microsoft's reg.exe
SWSC - freeware implementation of Microsoft's sc.exe
SWWhoAmI - Windows version of the network command
SWCACLS.exe (download the program). - a binary implementation of XCACLS.vbs