You've installed a domain controller with 200 user accounts. Now you have to create home directories for the users. Because you're a well-read Windows NT administrator, you know that User Manager for Domains can do much of that work for you. Your only problem is that User Manager for Domains sets a directory's permissions to full control for its user, which means you won't have access to those directories.
How can you add your user account to each directory's access control list (ACL) without replacing the directory's current owner? You have two options. You can make the change in each directory, one at a time, or you can use Extended Change Access Control List (XCACLS).
XCACLS is an improved version of the NT command-line tool CACLS, which surprisingly few people know about. XCACLS lets you change the ACLs of files and directories on NTFS volumes (although it can't modify permissions on file shares). Here's the syntax for XCACLS:
<file/directoryname> /g <username>:<desired_file_ACLs>;\[<desired_directory_ACLs>\] \[/e\] \[/t\] \[/y\]
The first parameter in XCACLS specifies the names of the files and directories whose ACLs you want to change. When you give XCACLS a file or directory name, the tool reports current permissions. For example, if I want to see the permissions on directory F1, I type
This query produces the following output:
Two users have permissions on directory F1: Fred, whose account resides on MYNTWS, and MarkA, who has an account on the domain ORION. Each user produces two lines of XCACLS output: one for file permissions and one for directory permissions. The F at the end of each line stands for full control. Both Fred and MarkA have full control in file and directory permissions. According to Microsoft, (OI), (IO), and (CI) refer to inheritance information. I can't say I understand what they do, but in my experience, file permissions lines always begin with (OI) (IO), and directory permissions lines always begin with (CI).
The /G option in XCACLS lets you specify which permissions you want to grant a user. The /G option has three parts. The first part contains the user's name, such as ORION\MarkA, followed by a colon. The second part specifies the file permissions you want to give the user, followed by a semicolon. The third part specifies the directory permissions you want to give the user. You must always set file permissions, but you can choose not to set directory permissions. The permissions values you can choose from are R (read and execute), C (write and delete), F (full control), P (change permissions), O (take ownership), X (execute), E (read only), W (write), and D (delete). To grant MarkA on domain ORION full control of directory F1, I enter
xcacls f1 /g orion\marka:f;f
However, this command wipes out all previous permissions on F1.
If you want to add to file or directory permissions information without eliminating existing permissions, you can use the /E (Edit) switch. If I add /E to the end of the previous command line, XCACLS will give MarkA full control on F1 but will not delete any existing permissions on F1's ACL. If I add the /T option to the end of the command line, XCACLS will ripple the permissions change all the way down the subdirectory tree.
Suppose MarkA is an administrator who wants to add full control for himself to all the home directories located in a directory called E:\Users, without disturbing user access to those directories. He can type
xcacls e:\users\*.* /g orion\marka:f;f /e
Now, suppose MarkA wants to kick all the users off their directories, because he is decommissioning a server. He could just leave the /E off his command, but then XCACLS would bug him with an Are you sure? prompt for every directory. Instead, he can use the /Y switch, which automatically answers all the prompts with Yes. His command line would look like
xcacls e:\users\*.* /g orion\marka:f;f /y
Get to know XCACLS, and it'll come in handy any time you need to create automated backup scripts or perform home directory maintenance. XCACLS is an ACL power tool.