Modify NTFS permissions without replacing ACLs with Xcalcs.exe

Xcacls is used to modify NTFS permissions without replacing existing ACLs. This allows you to hit individual files, folders, or entire directories. The tool is very easy and can do all this with a single line of code.

While I was at a clients I came across some user folders that never had the proper NTFS rights assigned at setup. Subsequently they all had the default local users group assigned to them with read and execute. This effectively gave all users access to all folder. To make this even harder to resolve, someone had also removed the inheritance check mark and copied all the permissions. This now means that the only way to remove the ACL from the GUI is by removing it individually on each folder and file. Not a good solution considering there are over 4000 users. So time to use a script.

First you will need to download Xcacls.

Search Google for Xcacls, or for KB825751, or click on the link below

http://www.microsoft.com/downloads/details.aspx?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bda&displaylang=en

Install Xcacls on the server first.

  1. Double click on XCacls_Installer.exe
  2. you will be asked for a path to extract to. I choose C:\
  3. This will Extract a single file c:\xcacls.vbs

Get ready to run the script

  1. Open a Command window and navigate to the root of C
  2. Xcacls is is used with cscript.
  3. Lets do an easy test and at the command prompt type
    1. cscript xcacls.vbs
  4. If you see the related switch’s then you have done this step correct.

Run Xcacls to modify your permisions. Make sure you have a full backup first. And make sure your backups include ACLs.

Examples of the line

c:\cscript xcacls.vbs G:\user folder /t /e /f /s /r users /l c:\aclchange_log.txt

or

cscript xcacls.vbs G:\all users\user folder /t /e /f /s /r users /l c:\aclchange_log.txt

Remove the /t and /f switch to only change the root folder and one sub folder level down.

/F [Used with Directory or Wildcard] This will change all

files under the inputed directory but will NOT

traverse sub directories unless /T is also present.

If filename is a directory, and /F is not used, no

files will be touched.

/S [Used with Directory or Wildcard] This will change all

sub folders under the inputed directory but will NOT

traverse sub directories unless /T is also present.

If filename is a directory, and /S is not used, no

sub directories will be touched.

/T [Used only with a Directory] Traverses each

subdirectory and makes the same changes.

This switch will traverse directories only if the

filename is a directory or is using wildcards.

/E Edit ACL instead of replacing it.

/R user Revoke specified user’s access rights.

(Will remove any Allowed or Denied ACL’s for user)

/L filename Filename for Logging. This can include a path name

if the file isn’t under the current directory.

File will be appended to, or created if it doesn’t

exit. Must be Text file if it exists or error will occur.

If filename is obmitted the default name of XCACLS will

be used.

I hope this helps. Post with questions if you would like more info.

September 3, 2008 | Filed Under Microsoft windows server, NTFS, Script 

Comments

One Response to “Modify NTFS permissions without replacing ACLs with Xcalcs.exe”

  1. Max Inglis on September 25th, 2008 5:24 pm

    Nice Scripts Brad !

Got something to say?

You must be logged in to post a comment.