how-to block ads
Access Control Lists (click for definition).
There are two ways of setting file permissions. You can do it the graphical way or the command-line way.
To do it graphically, you must have Simple File Sharing disabled from the View tab of Folder Options (Professional only) or be in Safe Mode (either). Right-click on the object of your choice and click Properties. Then go to the Security tab.
Here you are presented with a list of users and groups and a small list of permissions. More permissions are available when you click Advanced.
Some rules of thumb:
Note: additional information can be found in this MSKB article -
•How to take ownership of a file or folder in Windows XP
The command-line way:
Download Xcacls.exe from the Windows 2000 Resource Kit. It works on XP; trust me.
Here are the usage instructions, straight from the output of xcacls /?:
XCACLS filename [/T] [/E|/X] [/C] [/G user:perm;spec] [/R user [...]]
[/P user:perm;spec [...]] [/D user [...]] [/Y]
Displays or modifies access control lists (ACLs) of files.
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edits ACL instead of replacing it.
/X Same as /E except it only affects the ACEs that
the specified users already own.
/C Continues on access denied errors.
/G user:perm;spec Grants specified user access rights.
Perm can be:
C Change (write)
F Full control
P Change Permissions (Special access)
O Take Ownership (Special access)
X EXecute (Special access)
E REad (Special access)
W Write (Special access)
D Delete (Special access)
Spec can be the same as perm and will only be
applied to a directory. In this case, Perm
will be used for file inheritance in this
directory. By default, Spec=Perm.
Special values for Spec only:
T Valid for only for directories.
At least one access right has to
follow. Entries between ';' and T
will be ignored.
/R user Revokes specified user's access rights.
/P user:perm;spec Replaces specified user's access rights.
Access right specification as same as
/D user Denies specified user access.
/Y Replaces user's rights without verify.
Wildcards can be used to specify more than one file.
More than one user can be specified.
Access rights can be combined.
XCACLS TEMP.DOC /G ADMINISTRATOR:RC
XCACLS *.TXT /G ADMINISTRATOR:RC /Y
XCACLS *.* /R ADMINISTRATOR /Y
XCACLS TEST.DLL /D ADMINISTRATOR /Y
XCACLS TEST.DLL /P ADMINISTRATOR:F /Y
XCACLS *.* /G ADMINISTRATOR:F;TRW /Y
XCACLS *.* /G ADMINISTRATOR:F;TXE /C /Y
Basically, if you want to give user "Bob" full access to dummy.exe without being asked if you are sure, here is the command:
xcacls dummy.exe /G Bob:F /Y /C
If you want to deny Bob execute rights to dummy.exe, run
xcacls dummy.exe /D Bob:X /Y /C
Warning: XCACLS is a powerful and extremely dangerous tool. Use it at your own risk. This tool is not in any way supported by Microsoft.
For an example on how Xcacls is used, see this thread from the Microsoft Help forum.