[333] in winnt
Windows NT Tip - Add CACLS to your Windows NT Toolbox
daemon@ATHENA.MIT.EDU (Stephen D. Dowdy)
Tue Mar 23 15:28:00 1999
Date: Tue, 23 Mar 1999 15:27:32 -0500
To: ntpartners@mit.edu
From: "Stephen D. Dowdy" <sdowdy@MIT.EDU>
I found this to be a bit interesting...
>Date: Mon, 22 Mar 1999 14:50:40 -0800
>To: "ESI Tech Support Mail List" <esi-tech-support@relaypoint.net>
>From: "ESI Tech Support" <tips@executive.com>
>Subject: Windows NT Tip - Add CACLS to your Windows NT Toolbox
>Sender: tech_support@executive.com
>Reply-To: tech_support@executive.com
>
> Windows NT* Technical Article
> 22 March 1999
> Add CACLS to your Windows NT Toolbox
>
>Have you ever needed to alter file permissions - after the fact? For
>example, your partition has already been in use for some time, with all of
>your users creating files and sub-directories with security restrictions,
>and now you need to make a change globally to file permissions. How can you
>do it quickly and easily?
>
>The best way is to go to the Command Prompt and run CACLS (Change ACLs).
>
>Here's a question I've had to deal with, which makes a good example of how
>to use CACLS: Do you have an NTFS partition without SYSTEM group access?
>While security may be tight on your network, you should always allow the
>group SYSTEM to have FULL CONTROL over all files and directories on all NTFS
>partitions. This group represents the Windows NT operating system and
>having it included allows such actions as creating a pagefile on a partition
>and defragmenting all files. If you have no real restrictions on security,
>(if you leave EVERYONE with FULL CONTROL for instance), then this is not an
>issue.
>
>You could use Explorer to modify security settings globally on the
>partition/directories/files, but there is a problem with this. This is in
>fact a destructive method of applying security settings, because it replaces
>the existing settings; Explorer is fine for changing permissions in one
>directory or one file, but it should only be used globally if you want to
>set all permissions on all files and/or sub-directories to the same values.
>If you want to add or remove permissions without destroying the existing
>ones, you need to use the CACLS command line interface executed from the
>root of the partition:
>
>D:\>cacls/?
>Displays or modifies access control lists (ACLs) of files
>
>CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
> [/P user:perm [...]] [/D user [...]]
> filename Displays ACLs.
> /T Changes ACLs of specified files in
> the current directory and all
>subdirectories.
> /E Edit ACL instead of replacing it.
> /C Continue on access denied errors.
> /G user:perm Grant specified user access rights.
> Perm can be: R Read
> C Change (write)
> F Full control
> /R user Revoke specified user's access rights (only valid
>with /E).
> /P user:perm Replace specified user's access rights.
> Perm can be: N None
> R Read
> C Change (write)
> F Full control
> /D user Deny specified user access.
>
>Wildcards can be used to specify more that one file in a command.
>You can specify more than one user in a command.
>
>SPECIAL NOTE: You must be at the root directory level of the partition in
>question. Use this command:
>
>CD drive_letter:
>
>Now the command line:
>
>CACLS * /e /t /g SYSTEM:F
>
>SPECIAL NOTE: If you see this message: "Unable to perform a security
>operation on an object which has no associated security" you are executing
>this from a FAT partition. ACLs are only used on NTFS partitions.
>
>The /e switch tells the CACLS command to EDIT the ACLs rather than REPLACE
>the existing permissions, and the /t switch tells it to apply the edit to
>subdirectories. Any number of ACCOUNT:PERM sets may follow the GRANT (/g)
>switch. As you can see from the above listing, there is additional
>flexibility built into the CACLS command - its only limitation is the extent
>of selections for PERM values.
>
>You may also need to add SYSTEM to the drive itself. Do that through
>Explorer with these steps:
>
> 1) Start EXPLORER
> 2) Right click the partition in question
> 3) Click PROPERTIES
> 4) Click the SECURITY tab
> 5) Click the PERMISSIONS button
> 6) If SYSTEM is not listed, click ADD and select SYSTEM
> 7) Highlight SYSTEM
> 8) Set TYPE OF ACCESS to FULL CONTROL
> 9) Clear the REPLACE PERMISSIONS ON EXISTING FILES check box (it is checked
>by default)
>10) Click OK
>
>CACLS is an excellent addition to your Windows NT toolbox. It can
>definitely pull you out a jam when NTFS permissions are not set properly.
>
>
>Pat Bloodwell
>Executive Software Technical Support
>
>
>Editor's note: Back issues of the Windows NT Technical Articles are
>available on our Web site at:
>
>http://www.diskeeper.com/tech-support/articles/windows.htm
><http://www.diskeeper.com/tech-support/articles/windows.htm>
>
>
>If you do not wish to receive these articles, or you would like to be added
>to the list, please let us know by sending your request to
>TIPS@EXECUTIVE.COM <TIPS@EXECUTIVE.COM> .
>
>If you have any problems or questions regarding this article, please send
>them to me at tips@executive.com <tips@executive.com> .
>
>For reprint permission for any of these technical articles, please
>contact Jobee Knight, Director of Public Relations, at e-mail
>dirpr@executive.com <dirpr@executive.com> .
>
>If you have any comments, suggestions or successes from using Executive
>Software products, please send them to Quality Assurance at
>QA@executive.com <QA@executive.com> .
>
>* 1999 Executive Software International, Inc. All Rights Reserved.
>
>Diskeeper, Undelete and Executive Software are trademarks owned by
> Executive Software International, Inc.
>
>Microsoft, Windows NT and Backoffice are either registered
> trademarks or trademarks of Microsoft Corporation in the
> United States and/or other countries.
>
>All other trademarks are the property of their respective owners.
>
>
