Windows 如何使用xcacls.vbs设置权限
我们正在使用xcacls.vbs修改NTFS权限(support.microsoft.com/kb/825751) 语法:Windows 如何使用xcacls.vbs设置权限,windows,vbscript,Windows,Vbscript,我们正在使用xcacls.vbs修改NTFS权限(support.microsoft.com/kb/825751) 语法: xcacls.vbs C:\TestFolder /G DOMAIN\USER: RW /E RW-读写 F-完全访问 如何仅授予读取、写入、修改、读取和执行权限 它就在xcacls.vbs附带的文档中,我会将它粘贴到这里,但您需要以下内容 xcacls.vbs C:\TestFolder /G DOMAIN\USER: RWMX /E 这里是语法 Syn
xcacls.vbs C:\TestFolder /G DOMAIN\USER: RW /E
RW-读写
F-完全访问
如何仅授予读取、写入、修改、读取和执行权限 它就在xcacls.vbs附带的文档中,我会将它粘贴到这里,但您需要以下内容
xcacls.vbs C:\TestFolder /G DOMAIN\USER: RWMX /E
这里是语法
Syntax for the Xcacls.vbs Command
The following output of the xcacls.vbs /? command describes the Xcacls.vbs command syntax:
Usage:
XCACLS filename [/E] [/G user:perm;spec] [...] [/R user [...]]
[/F] [/S] [/T]
[/P user:perm;spec [...]] [/D user:perm;spec] [...]
[/O user] [/I ENABLE/COPY/REMOVE] [/N
[/L filename] [/Q] [/DEBUG]
filename [Required] If used alone, it displays ACLs.
(Filename can be a filename, directory name or
wildcard characters and can include the whole
path. If path is missing, it is assumed to be
under the current directory.)
Notes:
- Put filename in quotes if it has spaces or
special characters such as &, $, #, etc.
- If filename is a directory, all files and
subdirectories under it will NOT be changed
unless the /A is present.
/F [Used with Directory or Wildcard] This will change all
files under the inputted directory but will NOT
traverse subdirectories unless /T is also present.
If filename is a directory, and /F is not used, no
files will be touched.
/S [Used with Directory or Wildcard] This will change all
subfolders under the inputted directory but will NOT
traverse subdirectories unless /T is also present.
If filename is a directory, and /S is not used, no
subdirectories will be touched.
/T [Used only with a Directory] Traverses each
subdirectory and makes the same changes.
This switch will traverse directories only if the
filename is a directory or is using wildcard characters.
/E Edit ACL instead of replacing it.
/G user:GUI Grant security permissions similar to Windows GUI
standard (non-advanced) choices.
/G user:Perm;Spec Grant specified user access rights.
(/G adds to existing rights for user)
User: If User has spaces in it, enclose it in quotes.
If User contains #machine#, it will replace
#machine# with the actual machine name if it is a
non-domain controller, and replace it with the
actual domain name if it is a domain controller.
New to 3.0: User can be a string representing
the actual SID, but MUST be lead by SID#
Example: SID#S-1-5-21-2127521184-160...
(SID string shown has been shortened)
(If any user has SID# then globally all
matches must match the SID (not name)
so if your intention is to apply changes
to all accounts that match Domain\User
then do not specify SID# as one of the
users.)
GUI: Is for standard rights and can be:
Permissions...
F Full control
M Modify
X read and eXecute
L List folder contents
R Read
W Write
Note: If a ; is present, this will be considered
a Perm;Spec parameter pair.
Perm: Is for "Files Only" and can be:
Permissions...
F Full control
M Modify
X read and eXecute
R Read
W Write
Advanced...
D Take Ownership
C Change Permissions
B Read Permissions
A Delete
9 Write Attributes
8 Read Attributes
7 Delete Subfolders and Files
6 Traverse Folder / Execute File
5 Write Extended Attributes
4 Read Extended Attributes
3 Create Folders / Append Data
2 Create Files / Write Data
1 List Folder / Read Data
Spec is for "Folder and Subfolders only" and has the
same choices as Perm.
/R user Revoke specified user's access rights.
(Will remove any Allowed or Denied ACL's for user.)
/P user:GUI Replace security permissions similar to standard choices.
/P user:perm;spec Replace specified user's access rights.
For access right specification see /G option.
(/P behaves like /G if there are no rights set for user.)
/D user:GUI Deny security permissions similar to standard choices.
/D user:perm;spec Deny specified user access rights.
For access right specification see /G option.
(/D adds to existing rights for user.)
/O user Change the Ownership to this user or group.
/I switch Inheritance flag. If omitted, the default is to not touch
Inherited ACL's. Switch can be:
ENABLE - This will turn on the Inheritance flag if
it is not on already.
COPY - This will turn off the Inheritance flag and
copy the Inherited ACL's
into Effective ACL's.
REMOVE - This will turn off the Inheritance flag and
will not copy the Inherited
ACL's. This is the opposite of ENABLE.
If switch is not present, /I will be ignored and
Inherited ACL's will remain untouched.
/L filename Filename for Logging. This can include a path name
if the file is not under the current directory.
File will be appended to, or created if it does not
exit. Must be Text file if it exists or error will occur.
If filename is omitted, the default name of XCACLS will
be used.
/Q Turn on Quiet mode. By default, it is off.
If it is turned on, there will be no display to the screen.
/DEBUG Turn on Debug mode. By default, it is off.
If it is turned on, there will be more information
displayed and/or logged. Information will show
Sub/Function Enter and Exit as well as other important
information.
/SERVER servername Enter a remote server to run script against.
/USER username Enter Username to impersonate for Remote Connections
(requires PASS switch). Will be ignored if it is for a Local Connection.
/PASS password Enter Password to go with USER switch
(requires USER switch).
Wildcard characters can be used to specify more than one file in a command, such as:
* Any string of zero or more characters
? Any single character
You can specify more than one user in a command.
You can combine access rights.
back to the top
Use Xcacls.vbs to View Permissions
You can also use Xcacls.vbs to view permissions for files or folders. For example, if you have a folder that is named C:\Test, type the following at a command prompt to view the folder permissions, and then press ENTER:
xcacls.vbs c:\testThe following example is a typical result:
C:\>XCACLS.VBS c:\test
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Starting XCACLS.VBS (Version: 3.4) Script at 6/11/2003 10:55:21 AM
Startup directory:
"C:\test"
Arguments Used:
Filename = "c:\test"
**************************************************************************
Directory: C:\test
Permissions:
Type Username Permissions Inheritance
Allowed BUILTIN\Administrators Full Control This Folder, Subfolde
Allowed NT AUTHORITY\SYSTEM Full Control This Folder, Subfolde
Allowed Domain1\User1 Full Control This Folder Only
Allowed \CREATOR OWNER Special (Unknown) Subfolders and Files
Allowed BUILTIN\Users Read and Execute This Folder, Subfolde
Allowed BUILTIN\Users Create Folders / Appe This Folder and Subfo
Allowed BUILTIN\Users Create Files / Write This Folder and Subfo
No Auditing set
Owner: Domain1\User1
Note The output of the xcacls.vbs c:\test command in this example matches the text that is shown in the graphical user interface (GUI). Some words are incomplete in the command window.
The output also gives the version of the script, the startup directory, and the arguments that were used.
You can also use wildcard characters to display matching files under the directory. For example, if you type the following, all files with an extension of ".log" that are in the C:\Test folder are displayed:
xcacls.vbs c:\test\*.logback to the top
示例
下面的Xcacls.vbs命令提供了一些使用Xcacls.vbs的示例
xcacls.vbs c:\test\ /g domain\testuser1:f /f /t /e
此命令编辑现有权限。它授予Domain\TestUser1完全控制权
在C:\Test下的所有文件上,它遍历C:\Test下的子文件夹,然后
更改找到的任何文件。此命令不涉及目录
xcacls.vbs c:\test\ /g domain\testuser1:f /s /l "c:\xcacls.log"
xcacls.vbs c:\test\readme.txt /o "machinea\group1"
此命令将替换现有权限。它授予Domain\TestUser1完整权限
控制C:\Test下的所有子文件夹,并将其记录到C:\Xcacls.log。这
命令不接触文件,也不遍历目录
xcacls.vbs c:\test\ /g domain\testuser1:f /s /l "c:\xcacls.log"
xcacls.vbs c:\test\readme.txt /o "machinea\group1"
此命令将Readme.txt的所有者更改为组MachineA\Group1
xcacls.vbs c:\test\badcode.exe /r "machinea\group1" /r "domain\testuser1"
此命令撤销对MachineA\Group1的C:\Test\Badcode.exe的权限
而对于域\TestUser1
xcacls.vbs c:\test\subdir1 /i enable /q
此命令打开文件夹C:\Test\Subdir1上的继承。它抑制
任何屏幕输出
xcacls.vbs \\servera\sharez\testpage.htm /p "domain\group2":14
此命令使用Windows管理远程连接到\ServerA\ShareZ
检测(WMI)。然后获取该共享的本地路径,并在
该路径将更改Testpage.htm上的权限。它保留了现有的
域\组2的权限保持不变,但它添加了权限1(读取数据)和
4(读取扩展属性)。该命令会删除该文件的其他权限
因为没有使用/e开关
xcacls.vbs d:\default.htm /g "domain\group2":f /server servera /user servera\admin /pass password /e
此命令使用WMI以ServerA\Admin的身份远程连接到ServerA,然后
将Default.htm的完全权限授予Domain\Group2。现有权限
对于域\Group2,将丢失该文件的其他权限。返回到
顶端