This is a patched version of the Microsoft XCACLS.VBS script, which can be used to set/adjust ownership and access rights (ACLs) for multiple files and/or directories at once. The patches are the result of some work with XCACLS on some extremely stubborn drives, which were loaded from a destroyed Windows system, and include forcing ownership using the Microsoft TAKEOWN.EXE tool.
XCACLS.VBS comes with a batch file (XXCACLS.BAT) which can be used to run the tool.
The package includes the original XCACLS.VBS installer and script for reference and also includes the TAKEOWN.EXE tool. Install by copying the extracted files to a directory, preferably one listed in your PATH environment variable, so you can run this command
or any other XXCACLS command from anywhere.
The ones marked in a RED color are additions; the ones marked in ORANGE have seen changes.
XXCACLS.BAT / XCACLS.VBS Usage ------------------------------ Displays or modifies access control lists (ACLs) of files & directories XCACLS filename [/E] [/G user:perm;spec] [...] [/R user [...]] [/F] [/S] [/T] [/P user:perm;spec [...]] [/D user:perm;spec] [...] [/O user] [/FO] [/I ENABLE/COPY/REMOVE] [/N [/L filename] [/Q] [/QQ] [/C] [/DEBUG] filename [Required] If used alone, it Displays ACLs. (Filename can be a filename, directory name or wildcard characters and can include the entire path. If path is missing, its assumed to be under the current directory. Notes: - Put filename in quotes if it has spaces or special characters such as &, $, #, etc. - If Filename is a directory, all files and sub directories under it will NOT be changed unless the /F or /S is present. /F [Used with Directory or Wildcard] This will change all files under the inputed directory but will NOT traverse sub directories unless /T is also present. If filename is a directory, and /F is not used, no files will be touched. /S [Used with Directory or Wildcard] This will change all sub folders under the inputed directory but will NOT traverse sub directories unless /T is also present. If filename is a directory, and /S is not used, no sub directories will be touched. /T [Used only with a Directory] Traverses each subdirectory and makes the same changes. This switch will traverse directories only if the filename is a directory or is using wildcards. /E Edit ACL instead of replacing it. /G user:GUI Grant security permissions similar to Windows GUI standard (non-advanced) choices. /G user:Perm;Spec Grant specified user access rights. (/G adds to existing rights for user) User: If User has spaces in it, surround it in Quotes If User contains #machine#, it will replace #machine# with the actual machine name if its a non-domain controller, and replace it with the actual domain name if it is a domain controller. New to 3.0: User can be a string representing the actual SID, but MUST be lead by SID# Example: SID#S-1-5-21-2127521184-160... (SID string shown has been shortened) (If any user has SID# then globally all matches must match the SID (not name) so if your intention is to apply changes to all accounts that match Domain\User then do not specify SID# as one of the users) GUI: Is for standard rights and can be: Permissions... F Full control M Modify X read & eXecute L List folder contents R Read W Write Note: If a ; is present, this will be considered a Perm;Spec parameter pair Perm: Is for "Files Only" and can be: Permissions... F Full control M Modify X read & eXecute R Read W Write Advanced... (Assumes "/SPEC G") E Synchronize D Take Ownership C Change Permissions B Read Permissions A Delete 9 Write Attributes 8 Read Attributes 7 Delete Subfolders and Files 6 Traverse Folder / Execute File 5 Write Extended Attributes 4 Read Extended Attributes 3 Create Folders / Append Data 2 Create Files / Write Data 1 List Folder / Read Data Spec is for "Folder and Subfolders only" and has the same choices as Perm. /R user Revoke specified user's access rights. (Will remove any Allowed or Denied ACL's for user) /P user:GUI Replace security permissions similar to standard choices /P user:perm;spec Replace specified user's access rights. For access right specification see /G option (/P acts like /G if there are no rights set for user) /D user:GUI Deny security permissions similar to standard choices. /D user:perm;spec Deny specified user access rights. For access right specification see /G option (/D adds to existing rights for user) /O user Change the Ownership to this user or group. /FO Always force an Ownership change using the takeown tool. /I switch Inheritance flag, if omitted default is to not touch Inherited ACL's. Switch can be: ENABLE - This will turn on the Inheritance Flag if its not on already. COPY - This will turn off the Inheritance flag and copy the Inherited ACL's into Effective ACL's REMOVE - This will turn off the Inheritance flag and will not copy the Inherited ACL's, this is the opposite of ENABLE If switch is not present, /I will be ignored and inherited ACL's will remain untouched. /SPEC switch Special Permission for Folder and Subfolders only If this switch is used, and the object is a folder, then one of the switches below would be used instead of the default. A - This Folder Only B - This Folder, Subfolders and Files (Default) C - This Folder and Subfolders D - This Folder and Files E - Subfolders and Files Only F - Subfolders Only G - Files Only /L filename Filename for Logging. This can include a path name if the file isn't under the current directory. File will be appended to, or created if it doesn't exit. Must be Text file if it exists or error will occur. If filename is omitted the default name of XCACLS.log will be used. /Q Turn on Quiet mode, its off by default. If its turned on, there will be no display to the screen. /QQ Turn on Semi-Quiet mode: show a '.' dot for every processed item. /C Ignore errors, its off by default. /DEBUG Turn on Debug mode, its off by default. If its turned on, there will be more information displayed and/or logged. Information will show Sub/Function Enter and Exit as well as other important information. /TIMEWMI Turn on to Time WMI use, only shows up in Debug Mode. /SERVER servername Enter a remote server to run script against. /USER username Enter Username to impersonate for Remote Connections (Requires PASS switch) - Will be ignored if its for a Local Connection. /PASS password Enter Password to go with USER switch (Requires USER switch) Wildcards can be used to specify more than one file in a command. Such as: * Any string of zero or more characters ? Any single character You can specify more than one user in a command. You can combine access rights.
/FO - wouldn't work unless the TAKEOWN.EXE tool was copied into a system folder. Fixed: the TAKEOWN.EXE is expected to reside in the same directory as the XXCACLS script (which is the default when you extract the contents of the downloaded XXCACLS 7zip archive!)
When /O or /FO or both are specified and objects are found
which have no or severely damaged ACLs, the /FO option is implied and
executed in an attempt to restore the ACLs for the file/directory at hand
to a workable state, after which the /F, /G and other options' settings
are performed. This behaviour has been added to help recover relatively
quickly any discs which are retrieved from failed systems and/or where
ACLs are completely b0rked. (For example when the NTFS disc had been
mounted under a Linux system before with write access and things went
belly up in a bad way.)
If you absolutely do NOT want the 'implicit TAKEOWN.EXE run' (/FO), which has a more significant effect than simply changing ownership of the given file or folder, you should refrain from using the /O and /FO options on file/folder collections which produce error reports when applying, for instance, /G or /I ENABLE actions.
The error 'Not Found' (Error Code: -2147217406 / 80041002(HEX)) error message has been adjusted to print 'Object Not Found' instead of simply 'Not Found' as it did before. This was done to prevent confusion about what is not found: the ACL object or the error description itself.
/FO - use the TAKEOWN.EXE tool to force the ownership to the Administrators. When both '/FO' and '/O user' have been specified, XCACLS.VBS will first force the ownership according to /FO to Administrators to ensure several failure causes with processing foreign discs (NTFS discs from crashes systems for instance) are forestalled, next the '/O' ownership will be applied in the same run. This provides a more stable and successful method to set explicit ownership on file systems which originate from other systems.
/C - ignore errors; very handy when processing multiple files or directories and some of those are not willing to cooperate.
/QQ - semi-quiet mode: show a '.' dot for every file and a 'D' for each directory processed. Error reports still come through including the offending file / directory, so failure diagnosis is not negatively impacted by this mode, yet the console output is dramatically decreased, compared to the default behaviour.
The GUI perm mode is now assumed any time you did not specify a ';' semicolon-separated, double list of access rights. This is done to make sure setting 'F'ull access rights is consistent in both modes: 'F'ull is equivalent to the /G permission flag set ''DCBA987654321" anyhow.
When only the '/O user' option has been specified and fetching ownership fails (i.e. you are not even permitted to read the ownership for this file/directory), XCACLS will automatically retry as if '/FO /O user' had been specified on the command line instead: see also the description of the '/FO' item in 'Added options' above.
Fixed a bug in the the script which would corrupt your specified ACLs when you specified any /G flags twice or more on the command line, e.g. when you specified '/G Administrator:ABCDA' (note the duplication of 'A').
|Files / Archives||Version||Date/Time||Quality||Notes|
|5.2.2 [i_a]||2010-05-08||Production||This is patched version of a Microsoft script; copyright remains with them.|
|5.2 [i_a]||2008-05-17||Production||This is patched version of a Microsoft script; copyright remains with them.|
(c)Copyright 2001-2009, Gerrit E.G. Hobbelt (Ger Hobbelt a.k.a. [i_a] ) - Hebbut.Net