We help IT Professionals succeed at work.

XCACLS commands for specific NTFS permissions...

Dimarc67
Dimarc67 asked
on
I need to explicitly assign a very specific set of NTFS permissions using the XCACLS.exe command line utility.  Can someone provide the correct syntax for the XCACLS.exe commands required to assign the following NTFS permissions to "FolderA":

FolderA - Full control for Domain Admins - This folder, subfolders and files
FolderA - Read-only for SecurityGroupA - This folder only
FolderA - Modify for SecurityGroupA - Subfolders and files only

Thanks much.
Comment
Watch Question

Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
You'll need xcacls.vbs, not xcacls.exe; xcacls.exe is deprecated and does not handle /e correctly.
How to use Xcacls.vbs to modify NTFS permissions
http://support.microsoft.com/kb/825751 

The System account should always have Full access in a folder structure, and you should assign permissions to the local Administrators group, not Domain Admins.
Try the batch script below:


@echo off
setlocal
set Folder=FolderA
set Group=SecurityGroupA

REM *** "This folder, subfolders and files"
REM *** No "/e" (edit), EXISTING ACEs WILL BE REPLACED!
cscript.exe /nologo xcacls.vbs "%Folder%" /g "Administrators":F /g "System":F

REM *** edit ACL: add "This folder only"
cscript.exe /nologo xcacls.vbs "%Folder%" /e /g "%Group%":R /spec A

REM *** edit ACL: add "Subfolders and files only"
cscript.exe /nologo xcacls.vbs "%Folder%" /e /g "%Group%":M /spec E

Open in new window

Chris DentPowerShell Developer
Top Expert 2010

Commented:

XCACLS was never particularly good at dealing with inheritance options / flags. Would you consider using something a bit more complex? If I'm in charge it'll be PowerShell ;)

Chris
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Oops sorry, I was a bit slow thinking about that, looks like oBdA has the best option :)

Chris

Author

Commented:
oBdA--
I think you've provided exactly what I need, but let me adjust it and you tell me if I'm breaking it.

Instead of assigning the group and folder names to environment variables, can we use command line variables such as %1, %2, etc.?  This would refine the batch file command to allow the group and folder names to be specified on the command line, yes?

Dimarc67
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
That would work as well:
SomeScript.cmd "T:\he\Folder\Name" "The Group Name"
("%~1" removes, if present, any quotes around the argument, so that there's a defined state whether or not there were quotes around the argument in the command line)

@echo off
setlocal
set Folder=%~1
set Group=%~2

REM *** "This folder, subfolders and files"
REM *** No "/e" (edit), EXISTING ACEs WILL BE REPLACED!
cscript.exe /nologo xcacls.vbs "%Folder%" /g "Administrators":F /g "System":F

REM *** edit ACL: add "This folder only"
cscript.exe /nologo xcacls.vbs "%Folder%" /e /g "%Group%":R /spec A

REM *** edit ACL: add "Subfolders and files only"
cscript.exe /nologo xcacls.vbs "%Folder%" /e /g "%Group%":M /spec E

Open in new window