<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Philip Taylor wrote:<br>
<br>
</div>
<blockquote type="cite"
cite="mid:eb5444c0-7f49-afb2-bad9-2fb29c6e9171@Hellenic-Institute.Uk">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
NOTE: Cacls is now deprecated, please use Icacls.<br>
</blockquote>
<br>
Sorry, failed to notice that. Herewith same for ICACLS :<br>
<br>
<blockquote type="cite"><br>
ICACLS name /save aclfile [/T] [/C] [/L] [/Q]<br>
stores the DACLs for the files and folders that match the name<br>
into aclfile for later use with /restore. Note that SACLs,<br>
owner, or integrity labels are not saved.<br>
<br>
ICACLS directory [/substitute SidOld SidNew [...]] /restore
aclfile<br>
[/C] [/L] [/Q]<br>
applies the stored DACLs to files in directory.<br>
<br>
ICACLS name /setowner user [/T] [/C] [/L] [/Q]<br>
changes the owner of all matching names. This option does not<br>
force a change of ownership; use the takeown.exe utility for<br>
that purpose.<br>
<br>
ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]<br>
finds all matching names that contain an ACL<br>
explicitly mentioning Sid.<br>
<br>
ICACLS name /verify [/T] [/C] [/L] [/Q]<br>
finds all files whose ACL is not in canonical form or whose<br>
lengths are inconsistent with ACE counts.<br>
<br>
ICACLS name /reset [/T] [/C] [/L] [/Q]<br>
replaces ACLs with default inherited ACLs for all matching
files.<br>
<br>
ICACLS name [/grant[:r] Sid:perm[...]]<br>
[/deny Sid:perm [...]]<br>
[/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]<br>
[/setintegritylevel Level:policy[...]]<br>
<br>
/grant[:r] Sid:perm grants the specified user access rights.
With :r,<br>
the permissions replace any previouly granted explicit
permissions.<br>
Without :r, the permissions are added to any previously
granted<br>
explicit permissions.<br>
<br>
/deny Sid:perm explicitly denies the specified user access
rights.<br>
An explicit deny ACE is added for the stated permissions
and<br>
the same permissions in any explicit grant are removed.<br>
<br>
/remove[:[g|d]] Sid removes all occurrences of Sid in the ACL.
With<br>
:g, it removes all occurrences of granted rights to that
Sid. With<br>
:d, it removes all occurrences of denied rights to that
Sid.<br>
<br>
/setintegritylevel [(CI)(OI)]Level explicitly adds an
integrity<br>
ACE to all matching files. The level is to be specified
as one<br>
of:<br>
L[ow]<br>
M[edium]<br>
H[igh]<br>
Inheritance options for the integrity ACE may precede the
level<br>
and are applied only to directories.<br>
<br>
/inheritance:e|d|r<br>
e - enables inheritance<br>
d - disables inheritance and copy the ACEs<br>
r - remove all inherited ACEs<br>
<br>
<br>
Note:<br>
Sids may be in either numerical or friendly name form. If a
numerical<br>
form is given, affix a * to the start of the SID.<br>
<br>
/T indicates that this operation is performed on all matching<br>
files/directories below the directories specified in the
name.<br>
<br>
/C indicates that this operation will continue on all file
errors.<br>
Error messages will still be displayed.<br>
<br>
/L indicates that this operation is performed on a symbolic
link<br>
itself versus its target.<br>
<br>
/Q indicates that icacls should supress success messages.<br>
<br>
ICACLS preserves the canonical ordering of ACE entries:<br>
Explicit denials<br>
Explicit grants<br>
Inherited denials<br>
Inherited grants<br>
<br>
perm is a permission mask and can be specified in one of two
forms:<br>
a sequence of simple rights:<br>
N - no access<br>
F - full access<br>
M - modify access<br>
RX - read and execute access<br>
R - read-only access<br>
W - write-only access<br>
D - delete access<br>
a comma-separated list in parentheses of specific rights:<br>
DE - delete<br>
RC - read control<br>
WDAC - write DAC<br>
WO - write owner<br>
S - synchronize<br>
AS - access system security<br>
MA - maximum allowed<br>
GR - generic read<br>
GW - generic write<br>
GE - generic execute<br>
GA - generic all<br>
RD - read data/list directory<br>
WD - write data/add file<br>
AD - append data/add subdirectory<br>
REA - read extended attributes<br>
WEA - write extended attributes<br>
X - execute/traverse<br>
DC - delete child<br>
RA - read attributes<br>
WA - write attributes<br>
inheritance rights may precede either form and are applied<br>
only to directories:<br>
(OI) - object inherit<br>
(CI) - container inherit<br>
(IO) - inherit only<br>
(NP) - don't propagate inherit<br>
(I) - permission inherited from parent container<br>
<br>
Examples:<br>
<br>
icacls c:\windows\* /save AclFile /T<br>
- Will save the ACLs for all files under c:\windows<br>
and its subdirectories to AclFile.<br>
<br>
icacls c:\windows\ /restore AclFile<br>
- Will restore the Acls for every file within<br>
AclFile that exists in c:\windows and its
subdirectories.<br>
<br>
icacls file /grant Administrator:(D,WDAC)<br>
- Will grant the user Administrator Delete and Write DAC<br>
permissions to file.<br>
<br>
icacls file /grant *S-1-1-0:(D,WDAC)<br>
- Will grant the user defined by sid S-1-1-0 Delete and<br>
Write DAC permissions to file.<br>
</blockquote>
<br>
</body>
</html>