How to grant permission to users for a directory u

2019-01-03 11:44发布

站内问答 / 前端开发
1671 15 6

How can I grant permissions to a user on a directory (Read, Write, Modify) using the Windows command line?

15条回答
淡お忘
2楼-- · 2019-01-03 12:00

As of Vista, cacls is deprecated. Here's the first couple of help lines:

C:\>cacls
NOTE: Cacls is now deprecated, please use Icacls.

Displays or modifies access control lists (ACLs) of files

You should use icacls instead. This is how you grant John full control over D:\test folder and all its subfolders:

C:\>icacls "D:\test" /grant John:(OI)(CI)F /T

According do MS documentation:

  • F = Full Control
  • CI = Container Inherit - This flag indicates that subordinate containers will inherit this ACE.
  • OI = Object Inherit - This flag indicates that subordinate files will inherit the ACE.
  • /T = Apply recursively to existing files and sub-folders. (OI and CI only apply to new files and sub-folders). Credit: comment by @AlexSpence.

For complete documentation, you may run "icacls" with no arguments or see the Microsoft documentation here and here

查看更多
0人赞 添加讨论(0) 举报
聊天终结者
3楼-- · 2019-01-03 12:01

Bulk folder creation and grant permission works me by using the below powershell script.

Import-Csv "D:\Scripts\foldernames.csv" | foreach-object { $username = $_.foldername 

# foldername is the header of csv file

$domain = “example.com”

$folder= "D:\Users"

$domainusername = $domain+“\”+$username

New-Item $folder\$username –Type Directory

Get-Acl $folder\$username  

$acl = Get-Acl $folder\$username

$acl.SetAccessRuleProtection($True, $False)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Admins","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainusername,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

Set-Acl $folder\$username $acl

}

Note: You have to create same domain username in csv file otherwise you will get permission issues

查看更多
0人赞 添加讨论(0) 举报
我想做一个坏孩纸
4楼-- · 2019-01-03 12:05

This is what worked for me:

  1. Manually open the folder for which the access is denied.

  2. Select the Executable/application file in that folder.

  3. Right-click on it and go to Properties -> Compatibility

  4. Now see the Privilege Level and check it for Run As Administrator

  5. Click on Change Settings for all users.

The problem is solved now.

查看更多
0人赞 添加讨论(0) 举报
beautiful°
5楼-- · 2019-01-03 12:06

Although most of the answers posted in reply to the question have some merit, IMHO none of them give a complete solution. The following is a perfect solution:

icacls "c:\folder" /remove:d /grant:r Everyone:(OI)(CI)F /T

Notes:

  1. The command is applied to the specified directory.

  2. Specifying the user "Everyone" sets the widest possible permission, as it includes every possible user.

  3. The option "/remove:d" deletes any explicit DENY settings that may exist, as those override explicit ALLOW settings: a necessary preliminary to creating a new ALLOW setting.

  4. The option "/grant" creates a new ALLOW setting, an explicit permission that replaces (":r") any and all explicit ALLOW settings that may exist.

  5. The "F" parameter (i.e. the permission created) makes this a grant of FULL control.

  6. The "/T" parameter adds recursion, applying these changes to all current sub-objects in the specified directory (i.e. files and subfolders), as well as the folder itself.

  7. The "(OI)" and "(CI)" parameters also add recursion, applying these changes to sub-objects created in future.

查看更多
0人赞 添加讨论(0) 举报
Evening l夕情丶
6楼-- · 2019-01-03 12:10

Open a Command Prompt, then execute this command:

icacls "c:\somelocation\of\path" /q /c /t /grant Users:F

F gives Full Access.

/q /c /t applies the permissions to subfolders.

Note: Sometimes "Run as Administrator" will help.

查看更多
0人赞 添加讨论(0) 举报
我欲成王,谁敢阻挡
7楼-- · 2019-01-03 12:11

excellent point Călin Darie

I had a lot of scripts to use cacls I move them to icacls how ever I could not find a script to change the root mount volumes example: d:\datafolder. I finally crated the script below, which mounts the volume as a temporary drive then applies sec. then unmounts it. It is the only way I found that you can update the root mount security.

1 gets the folder mount GUID to a temp file then reads the GUID to mount the volume as a temp drive X: applies sec and logs the changes then unmounts the Volume only from the X: drive so the mounted folder is not altered or interrupted other then the applied sec.

here is sample of my script:

**mountvol "d:\%1" /L >tempDrive.temp && FOR /f "tokens=*" %%I IN (tempDrive.temp) DO mountvol X: %%I 
D:\tools\security\icacls.exe  %~2 /grant domain\group:(OI)(CI)F /T /C >>%~1LUNsec-%TDWEEK%-%TMONTH%-%TDAY%-%TYEAR%-%THOUR%-%TMINUTE%-%TAM%.txt
if exist x:\*.* mountvol X: /d**
查看更多
0人赞 添加讨论(0) 举报
上一页 1 2 3 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)