XCACLS, SUNINACL, And Other Permissions Security Recovery ToolsPosted by Nick Niesen on October 26th, 2010 You Have 50GB Of Data To Move Along With Permissions Security Here is a fictional scenario we can use to illustrate the use of the XCACLS tool. We need to move or copy 50GB worth of data that is comprised of several thousand directories containing hundreds of thousands of small files from one storage system to another. These systems happen to part of a Windows 2000 Domain and permissions are quite granular in definition. We start the replication of that data using a favorite replication or synchronization tool and walk away for the evening. When we return the next day, everything has copied and all looks well. That is until you try to access the data. The Data Is Copied, But I Cannot Access It: Permissions Security Problem XCALCS Quickly Resets Permissions On Directories And Files XCACLS as a very fast tool that can set, remove, add, and change permissions on files and directories. For intance, the following command replaces all existing access rights and accounts with that of "dmiller" on the file "file.txt" with read-only access: "xcalcs file.txt /Y /T /G domain\dmiller:r". Although that is pretty easy and helpful, what about changing all my directories and files, which I have thousands of, to allow the domain\dmiller account to have full access? To do this in a very fast fashion you could execute the following from the root directory of the drive: "for /d %g IN (*.*) DO xcacls "%g" /Y /T /G domain\dmiller:f". This will go through every directory, subdirectory, and file and replace the current permissions with dmiller having full access to the object. You'll notice I put "" around the %g in the example. This is not required, but if you have directories that have names with spaces in them you will need to have the "". What Other Ways Can I Use XCACLS To Change Security Permissions The following command replaces all existing access rights an accounts with that of dmiller with read only access rights: The following command does not replace existing account permissions, instead, it adds the account, in the example the local admin account, with read only permissions: The following command removes the account "administrator" permissions from all directories, files, and subdirectories: for /d %g IN (*.*) DO xcacls "%g" /Y /E /T /R administrator This command should update all the directories and their contents to allow Domain Admins full access: I did a test on my XP Pro workstation and was able to change the permissions on approximately 10000 directories and files in less 1 minute. On one of my servers I was able to achieve a 500% increase in speed. It is blazingly fast. SUBINACL Is More Complex But Man Can It Really Save The Day Also check out "CACLS". This command is inherent to Windows XP Professional. Conclusion You may reprint or publish this article free of charge as long as the bylines are included. Original URL (The Web version of the article) Like it? Share it!More by this author |