dslreports logo

    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


how-to block ads

File permissions are the system's way of telling you what you can and cannot do with a file or folder. They are governed by Access Control Lists (click for definition).

There are two ways of setting file permissions. You can do it the graphical way or the command-line way.

To do it graphically, you must have Simple File Sharing disabled from the View tab of Folder Options (Professional only) or be in Safe Mode (either). Right-click on the object of your choice and click Properties. Then go to the Security tab.
Here you are presented with a list of users and groups and a small list of permissions. More permissions are available when you click Advanced.

Some rules of thumb:
    •Stick to the main security screen unless you're absolutely sure of what you're doing•Deny takes precedence over allow, so do not deny groups anything unless you are absolutely sure of what you are doing. If you deny something to the Users group, you deny that permission to everyone who is authenticated. Use even more diligence with denying everyone anything. •If no ruling is made on a permission to allow or deny, the system defaults to denying access.•Check yourself by using the Effective Permissions tab in the Advanced dialog.

Note: additional information can be found in this MSKB article -
How to take ownership of a file or folder in Windows XP

The command-line way:
Download Xcacls.exe from the Windows 2000 Resource Kit. It works on XP; trust me.
Here are the usage instructions, straight from the output of xcacls /?:

XCACLS filename [/T] [/E|/X] [/C] [/G user:perm;spec] [/R user [...]]
[/P user:perm;spec [...]] [/D user [...]] [/Y]

Displays or modifies access control lists (ACLs) of files.

Parameter List:
filename Displays ACLs.

/T Changes ACLs of specified files in
the current directory and all subdirectories.

/E Edits ACL instead of replacing it.

/X Same as /E except it only affects the ACEs that
the specified users already own.

/C Continues on access denied errors.

/G user:perm;spec Grants specified user access rights.

Perm can be:
R Read
C Change (write)
F Full control
P Change Permissions (Special access)
O Take Ownership (Special access)
X EXecute (Special access)
E REad (Special access)
W Write (Special access)
D Delete (Special access)

Spec can be the same as perm and will only be
applied to a directory. In this case, Perm
will be used for file inheritance in this
directory. By default, Spec=Perm.
Special values for Spec only:
T Valid for only for directories.
At least one access right has to
follow. Entries between ';' and T
will be ignored.

/R user Revokes specified user's access rights.

/P user:perm;spec Replaces specified user's access rights.
Access right specification as same as
/G option.

/D user Denies specified user access.

/Y Replaces user's rights without verify.

Wildcards can be used to specify more than one file.
More than one user can be specified.
Access rights can be combined.


Basically, if you want to give user "Bob" full access to dummy.exe without being asked if you are sure, here is the command:
xcacls dummy.exe /G Bob:F /Y /C

If you want to deny Bob execute rights to dummy.exe, run
xcacls dummy.exe /D Bob:X /Y /C

Warning: XCACLS is a powerful and extremely dangerous tool. Use it at your own risk. This tool is not in any way supported by Microsoft.

For an example on how Xcacls is used, see this thread from the Microsoft Help forum.

Expand got feedback?

by raw See Profile edited by MSeng See Profile
last modified: 2006-08-11 17:00:10