SteelwerX logo

Improper use of this program can be disastrous. SteelWerx is not liable for any damage done due to the (mis)use of its programs. By using these applications, you are accepting all responsibilities associated, and will use them at your own risk.


For every program you need an introduction as to why, so here goes:

This program is all about managing user's rights to files and folders on a computer, so before we come to an explanation about the program itself, first an historic overview of user rights management.

Every Operating System has to have a way to keep unauthorized computer users out of files. The reason for this is simple, employees have no business with the company's books. A letter of your mom's is still her letter, not yours, etc.

The question is: how does Windows do this? This depends on the version of Windows you are talking about. In Windows 95, 98 and Millenium Edition, user rights are a joke. They are non-existent. Programs themselves had to keep confidential information out of sight. They did this by changing attributes to make files hidden, or encrypt the contents, etc.

After these W9x Operating Systems came the network version of Windows, Windows NT. This had user management! To be able to use Windows NT you had to login, and a new filesystem (the internal layout of the hard disc) had been devised that supported permissions management. This filesystem, called NTFS (New Technology File System), was understood and supported by all Operating Systems based on Windows NT.

In Windows 2000 and Windows XP you have to login to use the computer. This can still be as simple as clicking on a name in the Windows XP Welcome screen, but still...

You are a user to the system. And this user has permissions to access files, and folders. Based on who you are certain parts of the Registry are read-only, or not visible at all.

Same goes for many other parts of Windows, who you are determines whether you can stop and start a service for example.

How does Windows keep track of the permissions? Now we come to a more difficult and abstract part. Even though all the following still appeals to all user objects (Registry keys, files, folders, services, processes, etc.), I will only give examples with files and folders.

To understand how Windows keeps track of permissions, we have to clarify a few keywords in Rights management.

Now that we know the basics of permissions, we get down to the how... As I said I will be focusing on files and folders, so let's roll.

In Windows NT you can rightclick on a file and choose "Properties", this will open a new Window with a few tabs, one being "Security".

Huh??? You did just that and you don't see the tab!!! No sweat, let me guess, you are running Windows XP and have Simple File Sharing on. You can check that in "Folder Options" and the tab "View". There is a checkbox checked next to "Use simple file sharing (recommended)". If you uncheck that and click on "Apply" you will see the "Security" tab. XP Pro gives you the choice of disabling this, but for Windows XP Home this is locked. By the way, you'll see this tab page when you are in Safe Mode on Windows XP.

Now that you have the tab open, you can see a list of users and groups, and the permissions belonging to them. These are the generic permissions I talked about earlier. If you click on "Advanced" you can see the specific rights on the Tab page "Permissions", the current owner on the "Owner" page and on the "Auditing" page the actions that will be logged.

You can change all you want on these pages, even if you kick yourself out. As long as you are the Owner or have access to an account in the Administrators group you can reclaim Ownership and give yourself full control again.

Now that we know all this, we come to these computers that are still on Simple File Sharing. You are confronted with a stubborn file that you cannot do anything with, and want to change the permissions on them. You have several possibilities to do that. Windows NT comes with a program called CACLS that you can use to change the Access Control Lists with. But this program comes with a few nasty surprises. You cannot use this program to change Ownership, or give specific permissions. What is even worse is that, since it is a legacy program from Windows NT, it doesn't support the "new" inheritance possibilities since Windows 2000. See the part about inheritance earlier in this tutorial.

There is also a program called XCACLS, this is a Microsoft program you can download which will lets you change Ownership and specific permissions, but it still suffers the problem with inheritance. This program is also available as a Visual Basic script, but it is no better.

Also there is a program called SUBINACL that can do the job, but that doesn't even speak of inheritance so I wouldn't trust it not to mess up the inheritance of files and folders.


Now we get to the main program, SWXCACLS. This is a recoding of the SWXCACLS Vbscript I mentioned earlier, though I added a few more options and changed some others. I will show the differences in bold.

First an explanation of the commandline:

SWXCACLS filename [/P | /E] [[/G user:GUI;Spec/Inh] [/GX:GUI;Spec/Inh] [...]]
   [[/D user:GUI;Spec/Inh] [/DX:GUI;Spec/Inh] [...]]
   [[/R user] [/RX] [...]] [/I ENABLE|COPY|REMOVE]
   [/SPEC A|B|C|D|E|F|G] [/S] [/L filename] [/Q]
   [[/O user]| /OA | /OM ] [/RESET ENABLE|COPY|REMOVE] [/VERBOSE]
filename [Required]

If used alone, it displays ACLs. Otherwise the given actions will be executed on the file. If you don't give a complete path I expect the file to be in the current directory. Put the filename in double quotes if it contains spaces or special characters such as &, $, #, etc.

If filename is a directory, the given actions will be executed only on the directory, not on the files and subdirectories in the directory. Use /I or /SPEC to tell the program what to do with these.

Wildcards can be used to specify more than one file in a command.The possible wildcards are:

  • * - Any string of zero or more characters
  • ? - Any single character

Note: To use commands on all files (*.*) , set the permissions on the folder instead of all the files.

/PReplaces permissions. New permissions will be as specified in /G and /D statements.
/EEdits the Access Control List instead of replacing it.
/G

/G User:GUI;Spec/Inh and /GX:GUI;Spec/Inh

These grant the specified User or Group the given access rights. Unless /P is in the command line, this will never touch the rights for other users.

User

If User has spaces in it, surround it in quotes.

User can be a string representing the actual SID, but MUST be lead by SID#

Example: SID#S-1-5-21-2127521184-160...

(SID string shown has been shortened)

(If any user has SID# then globaly all matches must match the SID (not name), so if your intention is to apply changes to all accounts that match User then do not specify SID# as one of the users).

GUIIs for standard rights and can be:
  • F - Full control
  • M - Modify
  • X - Read & eXecute
  • L - List folder contents
  • R - Read
  • W - Write
SpecIs for specific rights and can be:
  • E - Synchronize
  • D - Take Ownership
  • C - Change Permissions
  • B - Read Permissions
  • A - Delete
  • 9 - Write Attributes
  • 8 - Read Attributes
  • 7 - Delete Subfolders and Files
  • 6 - Traverse Folder / Execute File
  • 5 - Write Extended Attributes
  • 4 - Read Extended Attributes
  • 3 - Create Folders / Append Data
  • 2 - Create Files / Write Data
  • 1 - List Folder / Read Data
Inh

Inheritance override. For possible choices see /SPEC switch.

This is new in comparison to the script. The original script only gave you the opportunity to state an inheritance scheme that would be applied to everyone.This way you can give someone a different inheritance scheme to the rest.

/GX

/GX:GUI;Spec/Inh

You can define permissions for predefined groups by using the X variants of the switches. The following switches have been defined:

  • A - Administrators
  • U - (Limited) Users
  • G - Guests
  • O - Owner
  • P - (Power) Users
  • S - Local System
  • E - Everyone
  • M - Current User

The possible parameters for GUI, Spec and Inh are explained by /G.

/D

/D User:GUI;Spec/Inh and /DX:GUI;Spec/Inh

Deny the given user access.

/R

/R User and /RX

Revoke specified user's access rights. This will remove any Allowed or Denied ACLs for user.

/I

/I Switch

Inheritance flag, if omitted default is to not touch Inherited ACLs. Switch can be:

  • ENABLE - This will turn on the Inheritance Flag if its not on already. The net result is that Inherited ACLs become active on the file/folder
  • COPY - This will turn off the Inheritance flag and copy the Inherited ACLs into Effective ACLs
  • REMOVE - This will turn off the Inheritance flag and will not copy the Inherited ACLs, this is the opposite of ENABLE

If switch is not present, /I will be ignored and Inherited ACLs will remain untouched.

/RESET

/RESET [Switch]

Resets all permissions to given ones. Use this sparingly because this switch will keep everyone out if /G and /D switches are specified that way! Owner will be reset to Administrators group, so it is possible for members of that Group to re-evaluate permissions.

Owner will also receive Full Access permissions, other permissions should be specified in GRANT/DENY statements.

Switch can be the same as with /I. This switch is only used on the root folder. Default of switch is ENABLE

This command can only be used on folders. To change permissions on files use GRANT/DENY statements.

/SPEC

/SPEC Switch

Special permission for folder and subfolders only. If this switch is used, and the object is a folder, then one of the switches below would be used instead of the default.

  • A - This Folder Only
  • B - This Folder, Subfolders and Files (Default)
  • C - This Folder and Subfolders
  • D - This Folder and Files
  • E - Subfolders and Files Only
  • F - Subfolders Only
  • G - Files Only

Execute on subfolders and files as well. This switch only works with wildcards.

/L

/L [Filename]

Filename for logging. This can include a path name if the file isn't under the current directory. File will be appended to, or created if it doesn't exist. Must be Text file if it exists or an error will occur.

If filename is omitted the default name of SWXCACLS.log will be used.

/Q

Turn on Quiet mode, it's off by default. If it's turned on, there will be no display to the screen.

/O

/O User

Change the Ownership to this user or group.

/OA

Change the Ownership to the Administrators group.

/OM

Change the Ownership to the Current User.

/VERBOSE

Display everything there is to know inside the Security Descriptor. Information will be presented using symbols from the Windows Software Development Kit.

You can specify more than one user in a command.

You can combine access rights.

Updates

- (1 june 2012 v.: 1.0.2.1): got rid of a permissions parsing bug.

- (14 april 2007 v.: 1.0.2.0): Changed the /RESET command a bit as it was possible to use this with a filename.

- (26 november 2006): got rid of an Access Violation when for some reason the system could not open the file/folder you requested about.

Now that you've read about the pitfalls and possibilities of this program. Click the download link to download the program.

<NOTE !!!!>
The following assumptions have been made for the use of this program!