XCACLS, SUNINACL, and other Permissions Security Recovery about several Tools

The Data Is Copied, But I Cannot Access It Permissions Security Problem

What you did not know, until just now, is that the root directory of the drive that you copied the data to had the wrong permissions assigned to it. In addition, inheritance was configured such that any data that is placed on the drive is over written with the permissions of the root directory. In this case, it was an old account that no longer existed. Believe it or not, that can happen, and system administrators will know what I am talking about. Now you are left with trying to figure out what to do. Do I format the new drive, change the permissions and inheritance on the root directory so they are correct and start all over again Do I make the changes on the root drive so they have the correct permissions and wait hours upon hours for the permissions to propagate No, there is another, very fast way of resolving this issue with XCACLS or another tool called SUBINACL.

XCALCS Quickly Resets Permissions On Directories And Files

Becasue I have limited space in this article, I am going to use XCACLS as the tool to correct this problem. However, in complex permissions structures, you will most likely want to use SUBINACL to fix the issue. I will talk about SUBINACL briefly at the end of the article.

XCACLS as a very fast tool that can set, remove, add, and change permissions on files and directories. For intance, the following command replaces all existing access rights and accounts with that of dmiller on the file file txt with read only access xcalcs file txt Y T G domain dmil error. Although that is pretty easy and helpful, what about changing all my directories and files, which I have thousands of, to allow the domain dmiller account to have full access To do this in a very fast fashion you could execute the following from the root directory of the drive for d g IN DO xcacls Y T G domain dmill error if. This will go through every directory, subdirectory, and file and replace the current permissions with dmiller having full access to the object. You will notice I put around the g in the example. This is not required, but if you have directories that have names with spaces in them you will need to have the .

What Other Ways Can I Use XCACLS To Change Security Permissions

To give you a few additional handy examples of how you can use this tool take a look at the follow command prompt methods for replacing, updating and removing accounts and permissions from large numbers of directories and files.

The following command replaces all existing access rights an accounts with that of dmiller with read only access rights
for d g IN DO xcacls g Y T G domain dmill error.

The following command does not replace existing account permissions, instead, it adds the account, in the example the local admin account, with read only permissions
for d g IN DO xcacls g Y E T G administrator

The following command removes the account administrator permissions from all directories, files, and subdirectories for d g IN DO xcacls g Y E T R administrator

This command should update all the directories and their contents to allow Domain Admins full access
for d g IN DO xcacls g Y T G Domain Admins

I did a test on my XP Pro workstation and was able to change the permissions on approximately 10000 directories and files in less 1 minute. On one of my servers I was able to achieve a 500 increase in speed. It is blazingly fast.

SUBINACL Is More Complex But Man Can It Really Save The Day

I cannot go into specifics about this tool in this article but I will tell you what it can do. And again, it does it very very fast. Using the same scenario as above, let is say that you had to fix the permissions on thousands of home directories. With SUBINACL, you can actually go to the original directories and files, use the tool to create what is called a play file, a text file that contains the right account and permissions from the source files, then use that same file to tell SUBINACL to fix the permissions on the target storage system, the one with the screwed up permissions. It is quite the life saver if you ever find yourself in the type of predicament.

Also check out CACLS. This command is inherent to Windows XP Professional.