Windows NT allows you to set the access priveleges for directories and files from Windows Explorer. However, setting accesss priveleges using Windows Explorer completely replaces the previous access priveleges. To change the access priveleges more selectively, you can use the CACLS (Change Access Control Lists) command. For example, you can deny access to a user without changing any access priveleges assigned to or set by other users.
When you run CACLS without any parameters, it will display the following help:
Displays or modifies access control lists (ACLs) of files
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm
[...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
.
Perm can be: R Read
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid
with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
Typicall access priveleges for individual user files and directories are:
System: Full Control
Administrators: Full Control
Backup Operators: Read Only
User: Full Control
All other users: None
The Security tab of the Properties shows the following access priveleges:
Figure 46. File and Directory Permissions
The corresponding access priveleges as reported by CACLS are:
D:\Users\Andy FALCON\Andy:(OI)(IO)F
FALCON\Andy:(CI)F
BUILTIN\Administrators:(OI)(IO)F
BUILTIN\Administrators:(CI)F
NT AUTHORITY\SYSTEM:(OI)(IO)F
NT AUTHORITY\SYSTEM:(CI)F
BUILTIN\Backup Operators:(OI)(IO)(special
access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Backup Operators:(CI)R
The file CACLS.EXE is placed in the \Winnt\System32 directory and so is accessible from any directory.