Xcacls.exe can set all file-system security options accessible in Windows Explorer from the command line.
" XcAcls does this by displaying and modifying the access control lists (ACLs) of files.
XcAcls is especially useful in unattended installations of Microsoft Windows 2000 Professional or Server. By using this tool, you can set the initial access rights for folders in which the operating system resides. When you distribute software to servers or workstations, XcAcls also offers one-step protection against deletion of directories or files by users.
xcacls filename \[/T\] \[/E\] \[/C\] \[/G user:perm;spec\] \[/R user\] \[/P user:perm;spec \[...\]\] \[/D user \[...\]\] \[/Y\] filename - Indicates the name of the file or directory to which the access control list (ACL) or access control entry (ACE) is typically applied. All standard wildcard characters can be used. /T - Recursively walks through the current directory and all its subdirectories, applying the chosen access rights to the matching files or directories. /E - Edits the ACL instead of replacing it. Only the Administrator has access to TEST.DAT if you specify the following command line: XCACLS test.dat /G Administrator:F All ACEs applied earlier are lost. /C - Causes XcAcls to continue if an "access denied" error occurs. If /C is not specified, XcAcls stops on this error. /G user:perm;spec - Grants access to user to the matching file or directory. The perm variable applies the specified access right to files and represents the special file-access-right mask for directories. The Perm variable accepts the following values: R Read C Change (write) F Full Control P Change Permissions (special access) O Take Ownership (special access) X Execute (special access) E Read (Special access) W Write (Special access) D Delete (Special access) T ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right has to follow. Entries between a semicolon (;) and T are ignored. (Special value) The spec variable applies only to directories and accepts the same values as perm. Notes The access options for files (for directories, special file and directory access) are identical. For detailed explanations of these options, see the Windows 2000 operating system documentation. All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ. /R user - Revokes all access rights for the specified user. /P user:perm;spec - Replaces access rights for user. The rules for specifying perm and spec are the same as for the /G option. /D user - denies user access to the file or directory. /Y - Disables confirmation when replacing user access rights. By default, CACLS asks for confirmation. Because of this feature, when CACLS is used in a batch routine, the routine stops responding until the right answer is entered. The /Y option was introduced to avoid this confirmation, so that XcAcls can be used in batch mode."