XCacls设置文件夹权限有关问题

XCacls设置文件夹权限问题
现在垃圾软件越来越多，比如万象的广告，易游的广告就不举例了，服务器的广告文件夹用盘符来解决了，可客户端的不敢用这方法，原因在于插上U盘或手机盘符会指定到这文件夹上，我的电脑里没有盘符了。
比如想"C:\Program Files\Baidu"这个文件夹的权限设置成禁止任何用户写入/或访问，用Xcacls命令怎么写呢？因为英语太差看不懂帮助文件，下面把帮助文件贴上来：麻烦给个事例谢谢。

Assembly code

Used: Filename is required and was not passed as an argument.---------------------------- Usage -------------------------------Displays or modifies access control lists (ACLs) of files & directoriesXCACLS filename [/E] [/G user:perm;spec] [...] [/R user [...]] [/F] [/S] [/T] [/P user:perm;spec [...]] [/D user:perm;spec] [...] [/O user] [/I ENABLE/COPY/REMOVE] [/N [/L filename] [/Q] [/DEBUG] filename [Required] If used alone, it Displays ACLs. (Filename can be a filename, directory name or wildcard characters and can include the entire path. If path is missing, its assumed to be under the current directory. Notes: - Put filename in quotes if it has spaces or special characters such as &, $, #, etc. - If Filename is a directory, all files and sub directories under it will NOT be changed unless the /F or /S is present. /F [Used with Directory or Wildcard] This will change all files under the inputed directory but will NOT traverse sub directories unless /T is also present. If filename is a directory, and /F is not used, no files will be touched. /S [Used with Directory or Wildcard] This will change all sub folders under the inputed directory but will NOT traverse sub directories unless /T is also present. If filename is a directory, and /S is not used, no sub directories will be touched. /T [Used only with a Directory] Traverses each subdirectory and makes the same changes. This switch will traverse directories only if the filename is a directory or is using wildcards. /E Edit ACL instead of replacing it. /G user:GUI Grant security permissions similar to Windows GUI standard (non-advanced) choices. /G user:Perm;Spec Grant specified user access rights. (/G adds to existing rights for user) User: If User has spaces in it, surround it in Quotes If User contains #machine#, it will replace #machine# with the actual machine name if its a non-domain controller, and replace it with the actual domain name if it is a domain controller. New to 3.0: User can be a string representing the actual SID, but MUST be lead by SID# Example: SID#S-1-5-21-2127521184-160... (SID string shown has been shortened) (If any user has SID# then globaly all matches must match the SID (not name) so if your intention is to apply changes to all accounts that match Domain\User then do not specify SID# as one of the users) GUI: Is for standard rights and can be: Permissions... F Full control M Modify X read & eXecute L List folder contents R Read W Write Note: If a ; is present, this will be considered a Perm;Spec parameter pair Perm: Is for "Files Only" and can be: Permissions... F Full control M Modify X read & eXecute R Read W Write Advanced... E Synchronize D Take Ownership C Change Permissions B Read Permissions A Delete 9 Write Attributes 8 Read Attributes 7 Delete Subfolders and Files 6 Traverse Folder / Execute File 5 Write Extended Attributes 4 Read Extended Attributes 3 Create Folders / Append Data 2 Create Files / Write Data 1 List Folder / Read Data Spec is for "Folder and Subfolders only" and has the same choices as Perm. /R user Revoke specified user's access rights. (Will remove any Allowed or Denied ACL's for user) /P user:GUI Replace security permissions similiar to standard choices /P user:perm;spec Replace specified user's access rights. For access right specification see /G option (/P acts like /G if there are no rights set for user) /D user:GUI Deny security permissions similiar to standard choices. /D user:perm;spec Deny specified user access rights. For access right specification see /G option (/D adds to existing rights for user) /O user Change the Ownership to this user or group. /I switch Inheritance flag, if omitted default is to not touch Inherited ACL's. Switch can be: ENABLE - This will turn on the Inheritance Flag if its not on already. COPY - This will turn off the Inheritance flag and copy the Inherited ACL's into Effecive ACL's REMOVE - This will turn off the Inheritance flag and will not copy the Inherited ACL's, this is the opposite of ENABLE If switch is not present, /I will be ignored and Inherited ACL's will remain untouched. /SPEC switch Special Permission for Folder and Subfolders only If this switch is used, and the object is a folder, then one of the switches below would be used instead of the default. A - This Folder Only B - This Folder, Subfolders and Files (Default) C - This Folder and Subfolders D - This Folder and Files E - Subfolders and Files Only F - Subfolders Only G - Files Only /L filename Filename for Logging. This can include a path name if the file isn't under the current directory. File will be appended to, or created if it doesn't exit. Must be Text file if it exists or error will occur. If filename is obmitted the default name of XCACLS will be used. /Q Turn on Quiet mode, its off by default. If its turned on, there will be no display to the screen. /DEBUG Turn on Debug mode, its off by default. If its turned on, there will be more information displayed and/or logged. Information will show Sub/Function Enterand Exit as well as other important information. /TIMEWMI Turn on to Time WMI use, only shows up in Debug Mode. /SERVER servername Enter a remote server to run script against. /USER username Enter Username to impersonate for Remote Connections (Requires PASS switch) - Will be ignored if its for a Local Connection. /PASS password Enter Password to go with USER switch (Requires USER switch)Wildcards can be used to specify more than one file in a command.Such as: * Any string of zero or more characters ? Any single characterYou can specify more than one user in a command.You can combine access rights.Operation Complete

[解决办法]

ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
将所有匹配名称的 ACL 存储到 aclfile 中以便将来用于 /restore。

ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile
[/C] [/L] [/Q]
将存储的 ACL 应用于目录中的文件。

ICACLS name /setowner user [/T] [/C] [/L] [/Q]
更改所有匹配名称的所有者。

ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
查找包含显式提及 SID 的 ACL 的所有匹配名称。

ICACLS name /verify [/T] [/C] [/L] [/Q]
查找其 ACL 不规范或长度与 ACE 计数不一致的所有文件。

ICACLS name /reset [/T] [/C] [/L] [/Q]
为所有匹配文件使用默认继承的 ACL 替换 ACL

ICACLS name [/grant[:r] Sid:perm[...]]
[/deny Sid:perm [...]]
[/remove[:g|:d]] Sid[...]] [/T] [/C] [/L]
[/setintegritylevel Level:policy[...]]

/grant[:r] Sid:perm 授予指定的用户访问权限。如果使用 :r，
这些权限将替换以前授予的所有显式权限。
如果不使用 :r，这些权限将添加到以前授予的所有显式权限。

/deny Sid:perm 显式拒绝指定的用户访问权限。
将为列出的权限添加显式拒绝 ACE，
并删除所有显式授予的权限中的相同权限。

/remove[:[g|d]] Sid 删除 ACL 中所有出现的 SID。使用
:g，将删除授予该 SID 的所有权限。使用
:d，将删除拒绝该 SID 的所有权限。

/setintegritylevel [(CI)(OI)] 级别将完整性 ACE 显式添加到所有
匹配文件。要指定的级别为以下级别之一:
L[ow]
M[edium]
H[igh]
完整性 ACE 的继承选项可以优先于级别，但只应用于
目录。

/inheritance:e|d|r
e - 启用继承
d - 禁用继承并复制 ACE
r - 删除所有继承的 ACE

注意:
Sid 可以采用数字格式或友好的名称格式。如果给定数字格式，
那么请在 SID 的开头添加一个 *。

/T 指示在以该名称指定的目录下的所有匹配文件/目录上
执行此操作。

/C 指示此操作将在所有文件错误上继续进行。仍将显示错误消息。

/L 指示此操作在符号链接本身而不是其目标上执行。

/Q 指示 icacls 应该禁止显示成功消息。

ICACLS 保留 ACE 项的规范顺序:
显式拒绝
显式授予
继承的拒绝
继承的授予

perm 是权限掩码，可以两种格式之一指定:
简单权限序列:
F - 完全访问权限
M - 修改权限
RX - 读取和执行权限
R - 只读权限
W - 只写权限
在括号中以逗号分隔的特定权限列表:
D - 删除
RC - 读取控制
WDAC - 写入 DAC
WO - 写入所有者
S - 同步
AS - 访问系统安全性
MA - 允许的最大值
GR - 一般性读取
GW - 一般性写入
GE - 一般性执行
GA - 全为一般性
RD - 读取数据/列出目录
WD - 写入数据/添加文件
AD - 附加数据/添加子目录
REA - 读取扩展属性
WEA - 写入扩展属性
X - 执行/遍历
DC - 删除子项
RA - 读取属性
WA - 写入属性
继承权限可以优先于每种格式，但只应用于
目录:
(OI) - 对象继承
(CI) - 容器继承
(IO) - 仅继承
(NP) - 不传播继承

示例:

icacls c:\windows\* /save AclFile /T
- 将 c:\windows 及其子目录下所有文件的
ACL 保存到 AclFile。

icacls c:\windows\ /restore AclFile
- 将还原 c:\windows 及其子目录下存在的 AclFile 内
所有文件的 ACL

icacls file /grant Administrator:(D,WDAC)
- 将授予用户对文件删除和写入 DAC 的管
理员权限

icacls file /grant *S-1-1-0:(D,WDAC)
- 将授予由 sid S-1-1-0 定义的用户对文件删
除和写入 DAC 的权限

[解决办法]

注意: 有些人反对使用 Cacls，请使用 Icacls。

CACLS 显示或者修改文件的访问控制列表(ACL)

CACLS filename [/T] [/M] [/L] [/S[:SDDL]] [/E] [/C] [/G user:perm]
[/R user [...]] [/P user:perm [...]] [/D user [...]]
filename 显示 ACL。
/T 更改当前目录及其所有子目录中
指定文件的 ACL。
/L 对照目标处理符号链接本身
/M 更改装载到目录的卷的 ACL
/S 显示 DACL 的 SDDL 字符串。

/S:SDDL 使用在 SDDL 字符串中指定的 ACL 替换 ACL。
(/E、/G、/R、/P 或 /D 无效)。
/E 编辑 ACL 而不替换。
/C 在出现拒绝访问错误时继续。
/G user:perm 赋予指定用户访问权限。
Perm 可以是: R 读取
W 写入
C 更改(写入)
F 完全控制
/R user 撤销指定用户的访问权限(仅在与 /E 一起使用时合法)。
/P user:perm 替换指定用户的访问权限。
Perm 可以是: N 无
R 读取
W 写入
C 更改(写入)
F 完全控制
/D user 拒绝指定用户的访问。
在命令中可以使用通配符指定多个文件。
也可以在命令中指定多个用户。

缩写:
CI - 容器继承。
ACE 会由目录继承。
OI - 对象继承。
ACE 会由文件继承。
IO - 只继承。
ACE 不适用于当前文件/目录。
ID - 已继承。
ACE 从父目录的 ACL 继承。

XCacls设置文件夹权限有关问题

热点推荐