当前位置: 文江博客话题详情

如何在Windows中使用命令行向用户授予目录权限?

发布于 2024-09-03 11:32:28 字数 41 浏览 5 评论 0原文

如何使用 Windows 命令行向用户授予目录权限(读、写、修改)?

原文

How can I grant permissions to a user on a directory (Read, Write, Modify) using the Windows command line?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(20

箹锭⒈辈孓 2024-09-10 11:32:28

从 Vista 开始,cacls 已被弃用。以下是前几行帮助行:

C:\>cacls
NOTE: Cacls is now deprecated, please use Icacls.

Displays or modifies access control lists (ACLs) of files

您应该使用 icacls 代替。这是授予 John 对 D:\test 文件夹及其所有子文件夹的完全控制权的方法:

C:\>icacls "D:\test" /grant John:(OI)(CI)F /T

根据 MS 文档:

  • F = 完全控制
  • CI = 容器继承 - 该标志指示从属容器将继承此 ACE。
  • OI = 对象继承 - 该标志表示从属文件将继承 ACE。
  • /T = 递归地应用到现有文件和子文件夹。 (OICI 仅适用于新文件和子文件夹)。信用:@AlexSpence 的评论。

如需完整文档,您可以运行不带参数的“icacls”,或参阅 Microsoft 文档 此处此处

As of Vista, cacls is deprecated. Here's the first couple of help lines:

C:\>cacls
NOTE: Cacls is now deprecated, please use Icacls.

Displays or modifies access control lists (ACLs) of files

You should use icacls instead. This is how you grant John full control over D:\test folder and all its subfolders:

C:\>icacls "D:\test" /grant John:(OI)(CI)F /T

According do MS documentation:

  • F = Full Control
  • CI = Container Inherit - This flag indicates that subordinate containers will inherit this ACE.
  • OI = Object Inherit - This flag indicates that subordinate files will inherit the ACE.
  • /T = Apply recursively to existing files and sub-folders. (OI and CI only apply to new files and sub-folders). Credit: comment by @AlexSpence.

For complete documentation, you may run "icacls" with no arguments or see the Microsoft documentation here and here

回复 原文
心房的律动 2024-09-10 11:32:28

您还可以使用 ICACLS。

用户组授予对文件夹的完全控制权限:

>icacls "C:\MyFolder" /grant Users:F

向 IIS 用户授予 C:\MyFolder修改权限>(如果您需要 IIS 能够将文件读/写到特定文件夹中):

>icacls "C:\MyFolder" /grant IIS_IUSRS:M

如果您执行ICACLS /?,您将能够看到所有可用选项。

You can also use ICACLS.

To grant the Users group Full Control to a folder:

>icacls "C:\MyFolder" /grant Users:F

To grant Modify permission to IIS users for C:\MyFolder (if you need your IIS has ability to R/W files into specific folder):

>icacls "C:\MyFolder" /grant IIS_IUSRS:M

If you do ICACLS /? you will be able to see all available options.

回复 原文
飘落散花 2024-09-10 11:32:28

打开命令提示符,然后执行以下命令:

icacls "c:\somelocation\of\path" /q /c /t /grant Users:F

F 提供完全访问权限。

/q /c /t 将权限应用于子文件夹。

注意:有时“以管理员身份运行”会有所帮助。

Open a Command Prompt, then execute this command:

icacls "c:\somelocation\of\path" /q /c /t /grant Users:F

F gives Full Access.

/q /c /t applies the permissions to subfolders.

Note: Sometimes "Run as Administrator" will help.

回复 原文
红墙和绿瓦 2024-09-10 11:32:28

使用 cacls 命令。请参阅此处的信息。

CACLS 文件 /e /p {USERNAME}:{PERMISSION}

哪里,

/p:设置新权限

/e :编辑权限并保留旧权限,即编辑 ACL 而不是替换它。

{USERNAME}:用户名

{PERMISSION}:权限可以是:

R - 阅读

W - 写入

C - 更改(写入)

F - 完全控制

例如,使用以下命令授予 Rocky Full (F) 控制权(在 Windows 命令提示符处键入):

C:> CACLS 文件 /e /p rocky:f

通过输入以下命令阅读完整的帮助:

C:> cacls /?

Use cacls command. See information here.

CACLS files /e /p {USERNAME}:{PERMISSION}

Where,

/p : Set new permission

/e : Edit permission and kept old permission as it is i.e. edit ACL instead of replacing it.

{USERNAME} : Name of user

{PERMISSION} : Permission can be:

R - Read

W - Write

C - Change (write)

F - Full control

For example grant Rocky Full (F) control with following command (type at Windows command prompt):

C:> CACLS files /e /p rocky:f

Read complete help by typing following command:

C:> cacls /?

回复 原文
红颜悴 2024-09-10 11:32:28

我尝试以下方法,它对我有用:

  1. 打开 cmd.exe
  2. takeown /R /F *.*
  3. icacls * /T /grant [username]: (D)

这样文件就可以成为我自己的访问权限,并将其指定为“删除”,然后我就可以删除文件和文件夹。

I try the below way and it work for me:

  1. open cmd.exe
  2. takeown /R /F *.*
  3. icacls * /T /grant [username]:(D)

So that the files can become my own access and it assign to "Delete" and then I can delete the files and folders.

回复 原文
电影里的梦 2024-09-10 11:32:28

损坏的权限:重新获得对文件夹及其子对象的访问

尽管大多数回答该问题的答案都有一定的优点,但恕我直言,它们都没有给出完整的解决方案。如果您因权限设置损坏而锁定文件夹,以下(可能)是 Windows 7 的完美解决方案:

icacls "c:\folder" /remove:d /grant:r Everyone:(OI)(CI)F /T

对于 Windows 10,必须指定用户/SID在 /remove:d 选项之后:

icacls "c:\folder" /remove:d Everyone /grant:r Everyone:(OI)(CI)F /T

.
注释

  1. 该命令应用于指定目录。

  2. 指定用户“Everyone”会设置尽可能广泛的权限,因为它包括每个可能的用户。

  3. 选项“/remove:d”删除可能存在的任何显式 DENY 设置,因为这些设置会覆盖显式 ALLOW 设置:这是创建新 ALLOW 设置的必要准备。 这只是一种预防措施,因为通常不存在 DENY 设置,但安全总比后悔好。

  4. 选项“/grant”创建一个新的 ALLOW 设置,这是一个替换 (" :r") 可能存在的任何和所有显式 ALLOW 设置。

  5. “F”参数(即创建的权限)授予完全控制权。

  6. “/T”参数添加递归,将这些更改应用到指定目录(即文件和子文件夹)中的所有当前子对象以及文件夹本身。

  7. “(OI)”和“(CI)”参数还添加递归,将这些更改应用于随后创建的子对象。

附录 (2019/02/10) -

今天向我推荐了上面的 Windows 10 命令行,所以就在这里。我还没有 Windows 10 来测试它,但如果你有的话请尝试一下(然后请在下面发表评论)。

此更改仅涉及删除 DENY 设置作为第一步。很可能不存在任何 DENY 设置,因此该选项可能没有任何区别。我的理解是,在 Windows 7 上,您不需要在 /remove:d 之后指定用户,但我可能是错的!

附录 (2019/11/21) -

用户 astark 建议将 Everyone 替换为术语 *S-1-1-0,以便命令与语言无关。我只安装了英文版Windows,所以我无法测试这个建议,但它似乎是合理的。

Corrupt Permissions: Regaining access to a folder and its sub-objects

Although most of the answers posted in reply to the question have some merit, IMHO none of them give a complete solution. The following (might be) a perfect solution for Windows 7 if you are locked-out of a folder by corrupted permission settings:

icacls "c:\folder" /remove:d /grant:r Everyone:(OI)(CI)F /T

For Windows 10 the user/SID must be specified after the /remove:d option:

icacls "c:\folder" /remove:d Everyone /grant:r Everyone:(OI)(CI)F /T

.
Notes:

  1. The command is applied to the specified directory.

  2. Specifying the user "Everyone" sets the widest possible permission, as it includes every possible user.

  3. The option "/remove:d" deletes any explicit DENY settings that may exist, as those override explicit ALLOW settings: a necessary preliminary to creating a new ALLOW setting. This is only a precaution, as there is often no DENY setting present, but better safe than sorry.

  4. The option "/grant" creates a new ALLOW setting, an explicit permission that replaces (":r") any and all explicit ALLOW settings that may exist.

  5. The "F" parameter (i.e. the permission created) makes this a grant of FULL control.

  6. The "/T" parameter adds recursion, applying these changes to all current sub-objects in the specified directory (i.e. files and subfolders), as well as the folder itself.

  7. The "(OI)" and "(CI)" parameters also add recursion, applying these changes to sub-objects created subsequently.
    .

ADDENDUM (2019/02/10) -

The Windows 10 command line above was kindly suggested to me today, so here it is. I haven't got Windows 10 to test it, but please try it out if you have (and then will you please post a comment below).

The change only concerns removing the DENY setting as a first step. There might well not be any DENY setting present, so that option might make no difference. My understanding is, on Windows 7, that you don't need to specify a user after /remove:d but I might be wrong about that!

.

ADDENDUM (2019/11/21) -

User astark recommends replacing Everyone with the term *S-1-1-0 in order for the command to be language independent. I only have an English install of Windows, so I can't test this proposal, but it seems reasonable.

回复 原文
高跟鞋的旋律 2024-09-10 11:32:28

我为此苦苦挣扎了一段时间,只有结合此线程中的答案才对我有用(在 Windows 10 上):
1. 打开 cmd 或 PowerShell 并转到包含文件的文件夹
2. takeown /R /F .
3. icacls * /T /grant dan:F

祝你好运!

I struggled with this for a while and only combining the answers in this thread worked for me (on Windows 10):
1. Open cmd or PowerShell and go to the folder with files
2. takeown /R /F .
3. icacls * /T /grant dan:F

Good luck!

回复 原文
鸢与 2024-09-10 11:32:28

使用 Excel vba 脚本来配置和创建帐户。我需要向新用户授予该工具使用管理员“x”帐户创建的文件夹和子文件夹的完全权限。

cacls 看起来像这样:
cacls \FileServer\Users\Username /e /g Domain\Username:C

我需要将此代码迁移到 Windows 7 及更高版本。我的解决方案是:

icacls \FileServer\Users\Username /grant:r Domain\Username:(OI)(CI)F /t

/grant:r - 授予指定的用户访问权限。权限取代先前授予的显式权限。如果没有 :r,权限将添加到任何先前授予的显式权限

(OI)(CI) - 此文件夹、子文件夹和文件。

F - 完全访问

/t - 遍历所有子文件夹以匹配文件/目录。

这给了我的是该服务器上的一个文件夹,用户只能看到该文件夹​​并创建子文件夹,他们可以读取和写入文件。以及创建新文件夹。

With an Excel vba script to provision and create accounts. I was needing to grant full rights permissions to the folder and subfolders that were created by the tool using our administrators 'x' account to our new user.

cacls looked something like this:
cacls \FileServer\Users\Username /e /g Domain\Username:C

I needed to migrate this code to Windows 7 and beyond. My solution turned out to be:

icacls \FileServer\Users\Username /grant:r Domain\Username:(OI)(CI)F /t

/grant:r - Grants specified user access rights. Permissions replace previously granted explicit permissions. Without :r, permissions are added to any previously granted explicit permissions

(OI)(CI) - This folder, subfolders, and files.

F - Full Access

/t - Traverse all subfolders to match files/directories.

What this gave me was a folder on this server that the user could only see that folder and created subfolders, that they could read and write files. As well as create new folders.

回复 原文
天荒地未老 2024-09-10 11:32:28

以防万一其他人在这个页面上绊倒,如果你想在一个命令中将各种权限串在一起,我使用了这个:

icacls "c:\TestFolder" /grant:r Test_User:(OI)(CI)(RC,RD,RX)

注意各种权限的 csv 字符串。

Just in case there is anyone else that stumbles on this page, if you want to string various permissions together in the one command, I used this:

icacls "c:\TestFolder" /grant:r Test_User:(OI)(CI)(RC,RD,RX)

Note the csv string for the various permissions.

回复 原文
绅士风度i 2024-09-10 11:32:28

XCACLS.VBS 是一个非常强大的脚本,可以更改/编辑 ACL 信息。 c:\windows\system32\cscript.exe xcacls.vbs 帮助返回所有开关和选项。

您可以从 Microsoft 支持页面获取官方发行版

XCACLS.VBS is a very powerful script that will change/edit ACL info. c:\windows\system32\cscript.exe xcacls.vbs help returns all switches and options.

You can get official distribution from Microsoft Support Page

回复 原文
迷你仙 2024-09-10 11:32:28

批量文件夹创建和授予权限可以通过使用下面的 powershell 脚本来完成。

Import-Csv "D:\Scripts\foldernames.csv" | foreach-object {
    $username = $_.foldername 

    # foldername is the header of csv file

    $domain = “example.com”

    $folder= "D:\Users"

    $domainusername = $domain+“\”+$username

    New-Item $folder\$username –Type Directory

    Get-Acl $folder\$username  

    $acl = Get-Acl $folder\$username

    $acl.SetAccessRuleProtection($True, $False)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Admins","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainusername,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    Set-Acl $folder\$username $acl
}

注意:您必须在 csv 文件中创建相同的域用户名,否则您将遇到权限问题

Bulk folder creation and grant permission works me by using the below powershell script.

Import-Csv "D:\Scripts\foldernames.csv" | foreach-object {
    $username = $_.foldername 

    # foldername is the header of csv file

    $domain = “example.com”

    $folder= "D:\Users"

    $domainusername = $domain+“\”+$username

    New-Item $folder\$username –Type Directory

    Get-Acl $folder\$username  

    $acl = Get-Acl $folder\$username

    $acl.SetAccessRuleProtection($True, $False)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Admins","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainusername,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)

    Set-Acl $folder\$username $acl
}

Note: You have to create same domain username in csv file otherwise you will get permission issues

回复 原文
蓝咒 2024-09-10 11:32:28

我无法打开驱动器中的任何文件,此命令解锁了所有 -

icacls i:\* /grant Users:F /t /q /c

i was not able to open any file in a drive, this command unlocked all -

icacls i:\* /grant Users:F /t /q /c
回复 原文
身边 2024-09-10 11:32:28
attrib +r +a +s +h <folder name> <file name> to hide
attrib -r -a -s -h <folder name> <file name> to unhide

attrib +r +a +s +h <folder name> <file name> to hide
attrib -r -a -s -h <folder name> <file name> to unhide
回复 原文
紫竹語嫣☆ 2024-09-10 11:32:28

很棒的一点 Călin Darie

我有很多脚本可以使用 cacls 我将它们移至 icacls
我怎么找不到一个脚本来更改根安装卷示例:d:\datafolder。我最终创建了下面的脚本,它将卷安装为临时驱动器,然后应用秒。然后卸载它。这是我发现可以更新根安装安全性的唯一方法。

1 将文件夹安装 GUID 获取到临时文件,然后读取 GUID 以将卷安装为临时驱动器 X: 应用秒并记录更改,然后仅从 X: 驱动器卸载卷,以便安装的文件夹不会更改或中断然后应用秒。

这是我的脚本示例:

**mountvol "d:\%1" /L >tempDrive.temp && FOR /f "tokens=*" %%I IN (tempDrive.temp) DO mountvol X: %%I 
D:\tools\security\icacls.exe  %~2 /grant domain\group:(OI)(CI)F /T /C >>%~1LUNsec-%TDWEEK%-%TMONTH%-%TDAY%-%TYEAR%-%THOUR%-%TMINUTE%-%TAM%.txt
if exist x:\*.* mountvol X: /d**

excellent point Călin Darie

I had a lot of scripts to use cacls I move them to icacls
how ever I could not find a script to change the root mount volumes example: d:\datafolder. I finally crated the script below, which mounts the volume as a temporary drive then applies sec. then unmounts it. It is the only way I found that you can update the root mount security.

1 gets the folder mount GUID to a temp file then reads the GUID to mount the volume as a temp drive X: applies sec and logs the changes then unmounts the Volume only from the X: drive so the mounted folder is not altered or interrupted other then the applied sec.

here is sample of my script:

**mountvol "d:\%1" /L >tempDrive.temp && FOR /f "tokens=*" %%I IN (tempDrive.temp) DO mountvol X: %%I 
D:\tools\security\icacls.exe  %~2 /grant domain\group:(OI)(CI)F /T /C >>%~1LUNsec-%TDWEEK%-%TMONTH%-%TDAY%-%TYEAR%-%THOUR%-%TMINUTE%-%TAM%.txt
if exist x:\*.* mountvol X: /d**
回复 原文
平安喜乐 2024-09-10 11:32:28

我是管理员,某些脚本对目录中所有文件和子文件夹的我的名字设置了“拒绝”权限。执行 icacls "D:\test" /grant John:(OI)(CI)F /T 命令不起作用,因为它似乎没有从我的名字中删除“拒绝”这个清单。

唯一对我有用的是使用 icacls "D:\test" /reset /T 命令重置所有权限。

I am Administrator and some script placed "Deny" permission on my name on all files and subfolders in a directory. Executing the icacls "D:\test" /grant John:(OI)(CI)F /T command did not work, because it seemed it did not remove the "Deny" right from my name from this list.

The only thing that worked for me is resetting all permissions with the icacls "D:\test" /reset /T command.

回复 原文
人心善变 2024-09-10 11:32:28
  1. 导航到您要设置权限的顶级目录,
  2. 在资源管理器窗口的地址栏中输入 cmd
  3. 输入 icacls 。 /grant John:(OI)(CI)F /T 其中 John 是用户名
  4. profit

只是添加这个,因为这种方式看起来非常简单,其他人可能会获利 - 所有功劳都归于 Călin Darie

  1. navigate to top level directory you want to set permissions to with explorer
  2. type cmd in the address bar of your explorer window
  3. enter icacls . /grant John:(OI)(CI)F /T where John is the username
  4. profit

Just adding this because it seemed supremely easy this way and others may profit - all credit goes to Călin Darie.

回复 原文
゛时过境迁 2024-09-10 11:32:28

当我运行命令时:

icacls "c:/path/to/folderA/folderB" /grant:r Everyone:(OI)(CI)F /T

folderB 中的文件都没有被处理,这是通过输出消息指示的:

Successfully processed 0 files; Failed processing 0 files

但是,一旦我将指定的路径更改为父目录("c: /path/to/folderA")并重新运行该命令,folderB 中的所有文件均已成功处理。

注意:如果您希望不处理 folderA 中的任何其他文件/文件夹,请在运行上述命令之前尝试将所有这些文件/文件夹移动到其他位置。

希望这可以帮助任何遇到同样问题的人。

When I ran the command:

icacls "c:/path/to/folderA/folderB" /grant:r Everyone:(OI)(CI)F /T

None of the files in folderB were being processed, which was indicated via the output message:

Successfully processed 0 files; Failed processing 0 files

However, once I changed the specified path to the parent directory("c:/path/to/folderA") and re-ran the command all the files in folderB were successfully processed.

Note: If you want any other files/folders in folderA to not be processed, try moving all those files/folders to a different location before running the command above.

Hope this helps anyone running into the same issue.

回复 原文
一向肩并 2024-09-10 11:32:28

对于需要向多个驱动器授予权限的任何人,我创建了以下脚本:

@ECHO off
ECHO Run this with admin privileges
:: Change following variable to desired user or group
set UserOrGrp=Users
for %%d in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
    if EXIST %%d:\ (
        ECHO Taking ownership of drive %%d:\
        takeown /R /F %%d:\ /D Y /SKIPSL
        ECHO Granting full control to %UserOrGrp%
        icacls %%d:\* /Q /C /T /grant %UserOrGrp%:F
    )
)

For anyone needing to grant permissions to multiple drives, I created the following script:

@ECHO off
ECHO Run this with admin privileges
:: Change following variable to desired user or group
set UserOrGrp=Users
for %%d in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
    if EXIST %%d:\ (
        ECHO Taking ownership of drive %%d:\
        takeown /R /F %%d:\ /D Y /SKIPSL
        ECHO Granting full control to %UserOrGrp%
        icacls %%d:\* /Q /C /T /grant %UserOrGrp%:F
    )
)
回复 原文
梦醒时光 2024-09-10 11:32:28

在 Windows 10 中,无需“c:>”即可工作和“>”

例如:

F = Full Control
/e : Edit permission and kept old permission
/p : Set new permission

cacls“文件或文件夹路径”/e /p 用户名:F

(这也修复了错误 2502 和 2503)

cacls "C:\Windows\Temp" /e /p 用户名:F

in windows 10 working without "c:>" and ">"

For example:

F = Full Control
/e : Edit permission and kept old permission
/p : Set new permission

cacls "file or folder path" /e /p UserName:F

(also this fixes error 2502 and 2503)

cacls "C:\Windows\Temp" /e /p UserName:F

回复 原文
梦里泪两行 2024-09-10 11:32:28

这对我有用:

  1. 手动打开拒绝访问的文件夹。

  2. 选择该文件夹中的可执行文件/应用程序文件。

  3. 右键单击它并转到属性 -> 兼容性

  4. 现在查看权限级别并检查以管理员身份运行

  5. 单击更改所有用户的设置

现在问题已经解决了。

This is what worked for me:

  1. Manually open the folder for which the access is denied.

  2. Select the Executable/application file in that folder.

  3. Right-click on it and go to Properties -> Compatibility

  4. Now see the Privilege Level and check it for Run As Administrator

  5. Click on Change Settings for all users.

The problem is solved now.

回复 原文
~没有更多了~

关于作者

不羁少年

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

烙印

文章 0 评论 0

singlesman

文章 0 评论 0

给自己一个微笑

文章 0 评论 0

独孤求败

文章 0 评论 0

晨钟暮鼓

文章 0 评论 0

我是自愿种绣球花的

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文