TOPIC: CACLS
Command line setting of Windows file attributes
11th February 2012Aside from permissions that can be set using the cacls command, Windows files have properties like read only, archive and hidden. Of course, these are not the same or as robust as access permissions, but they may have a use in stopping accidental updates to files when you don't have access to use of the cacls command. While you could set these attributes using the properties page of any file, executing the attrib command on the Windows command is more convenient. Here are some possible usage options:
Set the read-only flag on a file:
attrib +r test.txt
Remove the read-only flag from a file (found a use for this one recently):
attrib -r test.txt
Set the archive flag on a file:
attrib +a test.txt
Remove the archive flag from a file:
attrib -a test.txt
Set the hidden only flag on a file:
attrib +h test.txt
Remove the hidden flag from a file:
attrib -h test.txt
Using the /s option and wildcards processes a number of files at a time and /d applies the command to directories. They could come in handy when removing read only attributes (also called bits in places) from files copied from read only optical media, such as CD's and DVD's.
Using the Windows Command Line for Security Administration
24th July 2009While there are point and click tools for the job, being able to set up new user groups, attach them to folders and assign users to them using the command line has major advantages when there are a number to be set up and logs of execution can be retained too. In light of this, it seems a shame that terse documentation along with the challenge of tracking down answers to any questions using Google, or whatever happens to be your search engine of choice, makes it less easy to discern what commands need to be run. This is where a book would help, but the whole experience is in direct contrast to the community of information providers that is the Linux user community, with Ubuntu being a particular shining example. Saying that, the Windows help system is not so bad once you can track down what you need. For instance, knowing that you need commands like CACLS and NET LOCALGROUP, the ones that have been doing the back work for me, it offers useful information quickly enough. To illustrate the usefulness of the aforementioned commands, here are a few scenarios.
Creating a new group:
net localgroup [name of new group] /comment:"[more verbose description of new group]" /add
Add a group to a folder:
cacls [folder address] /t /e /p [name of group]
The /t switch gets cacls to apply changes to the ACL for the specified folder and all its subfolders, a recursive action in other words, while the /e specifies ACL editing rather than its replacement and /p induces replacement of permissions for a given user or group. Using :n, :f, :c or :r directly after the name of a specified user or group assigns no, full, change (write) or read access, respectively. Replacing /p with /r revokes access, and leaving off the :n/:f/:c/:r will remove the group or user from the folder.
Add a user to a group:
net localgroup [name of group] [user name (with domain name if on a network)] /add
In addition to NET LOCALGROUP, there is also NET GROUP for wider network operations, something that I don't have cause to do. Casting the thinking net even wider, I suspect that VB scripting and its ability to tweak the Windows Management Interface might offer more functionality than what is above (PowerShell also comes to mind while we are on the subject) but I am sharing what has been helping me, and it can be difficult to find if you don't know where to look.