Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


March 1998

XCACLS


From the March 1998 Edition
of Windows IT Pro
Mark Minasi
This Old Resource Kit
InstantDoc #2986
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Resource Kit Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

A tool for adjusting file and directory permissions

You've installed a domain controller with 200 user accounts. Now you have to create home directories for the users. Because you're a well-read Windows NT administrator, you know that User Manager for Domains can do much of that work for you. Your only problem is that User Manager for Domains sets a directory's permissions to full control for its user, which means you won't have access to those directories.

How can you add your user account to each directory's access control list (ACL) without replacing the directory's current owner? You have two options. You can make the change in each directory, one at a time, or you can use Extended Change Access Control List (XCACLS).

XCACLS is an improved version of the NT command-line tool CACLS, which surprisingly few people know about. XCACLS lets you change the ACLs of files and directories on NTFS volumes (although it can't modify permissions on file shares). Here's the syntax for XCACLS:

<file/directoryname> /g <username>:<desired_file_ACLs>;[<desired_directory_ACLs>] [/e] [/t] [/y]

The first parameter in XCACLS specifies the names of the files and directories whose ACLs you want to change. When you give XCACLS a file or directory name, the tool reports current permissions. For example, if I want to see the permissions on directory F1, I type

xcacls f1

This query produces the following output:

E:\reskit\f1 MYNTWS\fred:(OI)(IO)F
MYNTWS\fred:(CI)F
ORION\MarkA:(OI)(IO)F
ORION\MarkA:(CI)F

Two users have permissions on directory F1: Fred, whose account resides on MYNTWS, and MarkA, who has an account on the domain ORION. Each user produces two lines of XCACLS output: one for file permissions and one for directory permissions. The F at the end of each line stands for full control. Both Fred and MarkA have full control in file and directory permissions. According to Microsoft, (OI), (IO), and (CI) refer to inheritance information. I can't say I understand what they do, but in my experience, file permissions lines always begin with (OI) (IO), and directory permissions lines always begin with (CI).

The /G option in XCACLS lets you specify which permissions you want to grant a user. The /G option has three parts. The first part contains the user's name, such as ORION\MarkA, followed by a colon. The second part specifies the file permissions you want to give the user, followed by a semicolon. The third part specifies the directory permissions you want to give the user. You must always set file permissions, but you can choose not to set directory permissions. The permissions values you can choose from are R (read and execute), C (write and delete), F (full control), P (change permissions), O (take ownership), X (execute), E (read only), W (write), and D (delete). To grant MarkA on domain ORION full control of directory F1, I enter

xcacls f1 /g orion\marka:f;f

However, this command wipes out all previous permissions on F1.

If you want to add to file or directory permissions information without eliminating existing permissions, you can use the /E (Edit) switch. If I add /E to the end of the previous command line, XCACLS will give MarkA full control on F1 but will not delete any existing permissions on F1's ACL. If I add the /T option to the end of the command line, XCACLS will ripple the permissions change all the way down the subdirectory tree.

Suppose MarkA is an administrator who wants to add full control for himself to all the home directories located in a directory called E:\Users, without disturbing user access to those directories. He can type

xcacls e:\users\*.* /g orion\marka:f;f /e

Now, suppose MarkA wants to kick all the users off their directories, because he is decommissioning a server. He could just leave the /E off his command, but then XCACLS would bug him with an Are you sure? prompt for every directory. Instead, he can use the /Y switch, which automatically answers all the prompts with Yes. His command line would look like

xcacls e:\users\*.* /g orion\marka:f;f /y

Get to know XCACLS, and it'll come in handy any time you need to create automated backup scripts or perform home directory maintenance. XCACLS is an ACL power tool.

End of Article

Reader Comments
What is the max directory path length that can be used with the Xcacls command? Is it 256?

Kim February 20, 2002

How would you delete a user from a directory as opposed to disabling their access with the /D option?

Lee Thomas November 21, 2003

it looks good but i have an question
i am currently working with xcacls.
with xcacls i am trying to to make a folder and give rights to users
and to turn off the file inherritence "stuff".
this is how erver no problem, but the problem is when i try to get more then one user

i use the code xcacls nieuwproject /G SG_Hoofden:F

but i can't use two or more if i do so then it only uses the last one

so please hlpe me i am working with that problem now for over a month

(ps: sorrie for my englisch it sucks right)



Krizzle February 26, 2004

Time to update these articles.
XCALCS is good for a lot of things but it has some downfalls. Sometime around windows2000 SP2 MS changed the way Permissions are ordered. XCacls does not write the permissions in the correct inherit order and thus breaks the application of permissions. But only when the /e option is used (add to - dont replace permissions). As a result the best feature (the ability to add a single account to all ACL's on all subfolders and files has been destroyed.) Fear not!! There is a fix though. Use XCACLS.VBS also available from MS Support but it requires that you enable MsScripting support on your admin pc or server and the download page is now missing. Fear not again. The file is still available but you have to call a Microsoft Support tech and provide a credit card number and they will wave the changes if they feel like it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;318754
http://support.microsoft.com/default.aspx?scid=kb;en-us;822790
http://support.microsoft.com/default.aspx?scid=kb;en-us;825751

Lane June 09, 2004

Instructions and download link for xcacls.vbs

http://support.microsoft.com/?id=825751

yerfdoga March 21, 2006 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Confirmed: Battery Life Issues Not Windows 7's Fault

Microsoft on Monday issued a lengthy statement about the recent Windows 7 battery controversy, echoing my assessment from earlier in the day, but backing it up with hard, cold evidence. ...

Microsoft Warns of Windows Version Expirations

Microsoft warned that this year will see three out-of-date Windows versions slip into retirement. ...

Battery Life Issues Almost Certainly Not Windows 7's Fault

While Microsoft is still investigating a notebook battery life issue that was supposedly caused by Windows 7, some interesting trends have emerged. ...
Windows OSs Whitepapers Protecting Microsoft SharePoint
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Collaborate with Confidence
Accelerate deployment and simplify Microsoft SharePoint management with EMC solutions and services.

Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Announcing Symantec Backup Exec 2010
With integrated deduplication and unified archiving technology.
Feb 25 - Are your IT Systems distributed? Or Convoluted?
Find out why integrated management solutions are more important than ever in today's IT environments and what criteria to consider when evaluating those solutions.

Virtualization Faceoff – Join the Discussion
Blogs, free poster, videos, community commentary – IT experts and peers face off on VMware & Microsoft virtualization solutions.

Should Your Email Live in the Cloud?
This Forrester report shows how-to calculate your on-premise email costs and compare with cloud-based alternatives and offers best practices for reducing email costs.

Exchange Server 2010: Deploying Unified Communications
register for this free virtual event and build your Unified Communications future on a strong Exchange Server 2010 foundation

New from Left-Brain.com - Manage VMware with PowerShell
Learn how to perform everything from simple ad-hoc reporting at the command-line to complex scripts that automate a massive deployment of hundreds of virtual machines.  Solve your old problems using less code than you thought possible!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2010 Penton Media, Inc. Terms of Use | Privacy Statement