本文目录
继续阅读PowerShell提速和多线程
发表评论
月度归档:2020年02月
iCACLS使用说明
iCACLS.exe (2003 sp2, Vista+)
Change file and folder permissions – display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS
Syntax
Add or remove permissions:
ICACLS Name
[/grant[:r] User:Permission[...]]
[/deny User:Permission[...]]
[/remove[:g|:d]] User[...]]
[/inheritance:e|d|r ]
[/setintegritylevel Level[...]]
[/T] [/C] [/L] [/Q]
Store ACLs for one or more directories matching name into aclfile for later use with /restore:
ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
Restore ACLs to all files in directory:
ICACLS directory [/substitute SidOld SidNew [...]]
/restore aclfile [/C] [/L] [/Q]
Change Owner:
ICACLS name /setowner user [/T] [/C] [/L] [/Q]
Find items with an ACL that mentions a specific SID:
ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count:
ICACLS name /verify [/T] [/C] [/L] [/Q]
Replace ACL with default inherited acls for all matching files:
ICACLS name /reset [/T] [/C] [/L] [/Q]
This is equivalent to “Replace all child permission entries with inheritable permission from this object” in the GUI.
Key
name The File(s) or folder(s) the permissions will apply to.
/T Traverse all subfolders to match files/directories. This will apply permission changes to
all subfolders whether or not they are set to inherit permissions from the parent. On very large
directory structures this may take some time as the command has to traverse the entire tree.
/C Continue on file errors (access denied) Error messages are still displayed.
/L Perform the operation on a symbolic link itself, not its target.
/Q Quiet - supress success messages.
/grant :r user:permission
Grant access rights, with :r, the permissions
will replace any previouly granted explicit permissions (for the given user).
Otherwise the permissions are added.
/deny user:permission
Explicitly deny the specified user access rights.
This will also remove any explicit grant of the
same permissions to the same user.
/remove[:[g|d]] User
Remove all occurrences of User from the acl.
:g remove all granted rights to that User/Sid.
:d remove all denied rights to that User/Sid.
/inheritance:e|d|r
e - Enable inheritance
d - Disable inheritance and copy the ACEs
r - Remove all inherited ACEs
/setintegritylevel [(CI)(OI)]Level
Add an integrity ACE to all matching files.
level is one of L,M,H (Low Medium or High)
Mandatory Label\Low Mandatory Level = Low.
Mandatory Label\Medium Mandatory Level = Medium/Standard.
Mandatory Label\High Mandatory Level = Elevated.
If No mandatory label is displayed in the output, it is Medium by default.
A Directory Inheritance option for the integrity ACE can precede the level
and is applied only to directories:
user A user account, Group or a SID
/restore Apply the acls stored in ACLfile to the files in directory
permission is a permission mask and can be specified in one of two forms:
a sequence of simple rights:
D - Delete access
F - Full access (Edit_Permissions+Create+Delete+Read+Write)
N - No access
M - Modify access (Create+Delete+Read+Write)
RX - Read and eXecute access
R - Read-only access
W - Write-only access
a comma-separated list in parentheses of specific rights:
DE - Delete
RC - read control
WDAC - write DAC
WO - write owner
S - synchronize
AS - access system security
MA - maximum allowed
GR - generic read
GW - generic write
GE - generic execute
GA - generic all
RD - read data/list directory
WD - write data/add file
AD - append data/add subdirectory
REA - read extended attributes
WEA - write extended attributes
X - execute/traverse
DC - delete child
RA - read attributes
WA - write attributes
inheritance rights can precede either form and are applied
only to directories:
(OI) - object inherit
(CI) - container inherit
(IO) - inherit only
(NP) - don’t propagate inherit
(I) - Permission inherited from parent container
继续阅读