The Xcacls.vbs tool modifies and displays NTFS file system permissions on folders and files.
Xcacls.vbs can now set all the file system security options that are available in Windows Explorer.
NOTE: Xcacls.vbs works with Windows 2000, Windows XP, and Windows Server 2003.
Download XcaclsInstaller.exe file.
Double-click the XcaclsInstaller.exe and extract Xcacls.vbs to a folder in your path.
The Xcacls.vbs script should be run with Cscript.exe. To change the default script engine, type
cscript.exe /h:cscript at a CMD.EXE prompt and press Enter.
When I typed xcacls.vbs /?, I received:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Starting XCACLS.VBS (Version: 5.2) Script at 07/05/2004 12:18:55
Startup directory:
"C:\"
Arguments Used:
Filename is required and was not passed as an argument.
------------------------------------------------------------------
---------------------------- Usage -------------------------------
------------------------------------------------------------------
Displays or modifies access control lists (ACLs) of files & directories
XCACLS filename [/E] [/G user:perm;spec] [...] [/R user [...]]
[/F] [/S] [/T]
[/P user:perm;spec [...]] [/D user:perm;spec] [...]
[/O user] [/I ENABLE/COPY/REMOVE] [/N
[/L filename] [/Q] [/DEBUG]
filename [Required] If used alone, it Displays ACLs.
(Filename can be a filename, directory name or
wildcard characters and can include the entire
path. If path is missing, its assumed to be
under the current directory.
Notes:
- Put filename in quotes if it has spaces or
special characters such as &, $, #, etc.
- If Filename is a directory, all files and
sub directories under it will NOT be changed
unless the /F or /S is present.
/F [Used with Directory or Wildcard] This will change all
files under the inputed directory but will NOT
traverse sub directories unless /T is also present.
If filename is a directory, and /F is not used, no
files will be touched.
/S [Used with Directory or Wildcard] This will change all
sub folders under the inputed directory but will NOT
traverse sub directories unless /T is also present.
If filename is a directory, and /S is not used, no
sub directories will be touched.
/T [Used only with a Directory] Traverses each
subdirectory and makes the same changes.
This switch will traverse directories only if the
filename is a directory or is using wildcards.
/E Edit ACL instead of replacing it.
/G user:GUI Grant security permissions similar to Windows GUI
standard (non-advanced) choices.
/G user:Perm;Spec Grant specified user access rights.
(/G adds to existing rights for user)
User: If User has spaces in it, surround it in Quotes
If User contains #machine#, it will replace
#machine# with the actual machine name if its a
non-domain controller, and replace it with the
actual domain name if it is a domain controller.
New to 3.0: User can be a string representing
the actual SID, but MUST be lead by SID#
Example: SID#S-1-5-21-2127521184-160...
(SID string shown has been shortened)
(If any user has SID# then globaly all
matches must match the SID (not name)
so if your intention is to apply changes
to all accounts that match Domain\User
then do not specify SID# as one of the
users)
GUI: Is for standard rights and can be:
Permissions...
F Full control
M Modify
X read & eXecute
L List folder contents
R Read
W Write
Note: If a ; is present, this will be considered
a Perm;Spec parameter pair
Perm: Is for "Files Only" and can be:
Permissions...
F Full control
M Modify
X read & eXecute
R Read
W Write
Advanced...
E Synchronize
D Take Ownership
C Change Permissions
B Read Permissions
A Delete
9 Write Attributes
8 Read Attributes
7 Delete Subfolders and Files
6 Traverse Folder / Execute File
5 Write Extended Attributes
4 Read Extended Attributes
3 Create Folders / Append Data
2 Create Files / Write Data
1 List Folder / Read Data
Spec is for "Folder and Subfolders only" and has the
same choices as Perm.
/R user Revoke specified user's access rights.
(Will remove any Allowed or Denied ACL's for user)
/P user:GUI Replace security permissions similiar to standard choices
/P user:perm;spec Replace specified user's access rights.
For access right specification see /G option
(/P acts like /G if there are no rights set for user)
/D user:GUI Deny security permissions similiar to standard choices.
/D user:perm;spec Deny specified user access rights.
For access right specification see /G option
(/D adds to existing rights for user)
/O user Change the Ownership to this user or group.
/I switch Inheritance flag, if omitted default is to not touch
Inherited ACL's. Switch can be:
ENABLE - This will turn on the Inheritance Flag if
its not on already.
COPY - This will turn off the Inheritance flag and
copy the Inherited ACL's
into Effecive ACL's
REMOVE - This will turn off the Inheritance flag and
will not copy the Inherited
ACL's, this is the opposite of ENABLE
If switch is not present, /I will be ignored and
Inherited ACL's will remain untouched.
/SPEC switch Special Permission for Folder and Subfolders only
If this switch is used, and the object is a folder, then
one of the switches below would be used instead of the
default.
A - This Folder Only
B - This Folder, Subfolders and Files (Default)
C - This Folder and Subfolders
D - This Folder and Files
E - Subfolders and Files Only
F - Subfolders Only
G - Files Only
/L filename Filename for Logging. This can include a path name
if the file isn't under the current directory.
File will be appended to, or created if it doesn't
exit. Must be Text file if it exists or error will occur.
If filename is obmitted the default name of XCACLS will
be used.
/Q Turn on Quiet mode, its off by default.
If its turned on, there will be no display to the screen.
/DEBUG Turn on Debug mode, its off by default.
If its turned on, there will be more information
displayed and/or logged. Information will show
Sub/Function Enterand Exit as well as other important
information.
/TIMEWMI Turn on to Time WMI use, only shows up in Debug Mode.
/SERVER servername Enter a remote server to run script against.
/USER username Enter Username to impersonate for Remote Connections
(Requires PASS switch)
- Will be ignored if its for a Local Connection.
/PASS password Enter Password to go with USER switch
(Requires USER switch)
Wildcards can be used to specify more than one file in a command.
Such as:
* Any string of zero or more characters
? Any single character
You can specify more than one user in a command.
You can combine access rights.
Operation Complete
Elapsed Time: 0.234375 seconds.
Ending Script at 07/05/2004 12:18:56When I typed
xcacls.vbs c:\temp to view permissions,
I received:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Starting XCACLS.VBS (Version: 5.2) Script at 07/05/2004 12:27:18
Startup directory:
"C:\"
Arguments Used:
Filename = "c:\temp"
**************************************************************************
Directory: C:\TEMP
Permissions:
Type Username Permissions Inheritance
Allowed BUILTIN\Administrators Full Control This Folder, Subfolde
Allowed NT AUTHORITY\SYSTEM Full Control This Folder, Subfolde
Allowed BUILTIN\Administrators Full Control This Folder Only
Allowed \CREATOR OWNER Special (Unknown) Subfolders and Files
Allowed BUILTIN\Users Read and Execute This Folder, Subfolde
Allowed BUILTIN\Users Advanced (Create Fold This Folder and Subfo
Allowed BUILTIN\Users Advanced (Create File This Folder and Subfo
No Auditing set
Owner: BUILTIN\Administrators
**************************************************************************
Operation Complete
Elapsed Time: 0.625 seconds.
Ending Script at 07/05/2004 12:27:19
NOTE: When I view the same permissions in Windows Explorer, the output is the same, including the incomplete words.
NOTE: Xcacls.vbs supports wildcards.
Sample Usage:
xcacls.vbs c:\test\ /g domain\testuser1:f /f /t /e
Edits existing permissions, granting Domain\TestUser1 full control on all files in
C:\test and it's sub-folders. It doesn't
alter sub-folder permissions.
xcacls.vbs c:\test\ /g domain\testuser1:f /s /l "c:\xcacls.log"
Replace permissions, granting Domain\TestUser1 full control on all subfolders in C:\Test. The command logs to C:\Xcacls.log.
It doesn't traverse sub-folders, and doesn't alter file permissions.
xcacls.vbs c:\test\readme.txt /o "machinea\group1"
Changes ownership of c:\test\readme.txt to "machinea\group1.
xcacls.vbs c:\test\badcode.exe /r "machinea\group1" /r "domain\testuser1"
Revokes "machinea\group1" and "domain\testuser1" permissions to c:\test\badcode.exe.
xcacls.vbs c:\test\subdir1 /i enable /q
Turns on inheritance on C:\Test\Subdir1, and produces no output.
xcacls.vbs \\servera\sharez\testpage.htm /p "domain\group2":14
Uses WMI to add 1 (Read Data) and 4 (Read Extended Attributes) permissions for Domain\Group2 to the existing
set of Domain\Group2 permissions to testpage.htm on remote computer servera, dropping other user and group permissions (no /e).