文章編號: 825751 - 上次校閱: 2006年10月30日 - 版次: 2.4




有為延伸變更存取控制清單工具 (Xcacls.exe) 可供為 Microsoft Visual Basic 指令碼 (Xcacls.vbs) 從 Microsoft 的更新的版本。本文將逐步告訴您,如何使用 Xcacls.vbs 指令碼,來修改,並檢視 NTFS 檔案系統權限檔案或資料夾。 若要設定所有檔案都可以存取在 Microsoft Windows 檔案總管中的系統安全性選項,您可以從命令列使用 Xcacls.vbs。Xcacls.vbs 顯示並修改存取控制清單 (ACL) 的檔案。

附註Xcacls.vbs 才相容與 Microsoft Windows 2000、 Microsoft Windows XP 和 Microsoft Windows Server 2003。 Microsoft 不支援 Xcacls.vbs。

Set Up and Use Xcacls.vbs

若要設定,並使用 Xcacls.vbs,請依照下列步驟執行:
  1. 取得最新版本的 Xcacls.vbs 從下列 Microsoft 網站: (
  2. 連按兩下 Xcacls_Installer.exe。當系統提示您輸入放置解壓縮的檔案的位置時,指定在您電腦的搜尋路徑設定如 (C:\Windows 的資料夾。
  3. 從 Wscript Cscript 變更預設指令碼引擎。(Xcacls.vbs 指令碼適合 Cscript)。如果要執行這項操作,在命令提示字元中輸入下列並再按下 ENTER:
    cscript.exe /h:cscript
    附註變更的預設 Cscript 的指令碼引擎只會影響指令碼寫入螢幕。Wscript 分別將每一行寫入至一個 [確定]] 對話方塊。Cscript 每一行寫入命令視窗中。如果您不想變更預設的指令碼引擎,您必須使用下列命令,執行指令碼
    cscript.exe xcacls.vbs
    而如果您將預設值變更 Cscript 您可以使用下列命令執行指令碼:
  4. 若要讓 Xcacls.vbs 命令語法請在命令提示字元中如下輸入:
    xcacls.vbs /?

Syntax for the Xcacls.vbs Command

下列輸出的 xcacls.vbs /? 命令說明 Xcacls.vbs 命令語法:
XCACLS filename [/E] [/G user:perm;spec] [...] [/R user [...]]
                [/F] [/S] [/T]
                [/P user:perm;spec [...]] [/D user:perm;spec] [...]
                [/O user] [/I ENABLE/COPY/REMOVE] [/N
                [/L filename] [/Q] [/DEBUG]

   filename            [Required] If used alone, it displays ACLs.
                       (Filename can be a filename, directory name or
                       wildcard characters and can include the whole
                       path. If path is missing, it is assumed to be
                       under the current directory.)
                       - Put filename in quotes if it has spaces or
                       special characters such as &, $, #, etc.
                       - If filename is a directory, all files and
                       subdirectories under it will NOT be changed
                       unless the /F or S is present.

   /F                  [Used with Directory or Wildcard] This will change all
                       files under the inputted directory but will NOT
                       traverse subdirectories unless /T is also present.
                       If filename is a directory, and /F is not used, no
                       files will be touched.

   /S                  [Used with Directory or Wildcard] This will change all
                       subfolders under the inputted directory but will NOT
                       traverse subdirectories unless /T is also present.
                       If filename is a directory, and /S is not used, no
                       subdirectories will be touched.

   /T                  [Used only with a Directory] Traverses each
                       subdirectory and makes the same changes.
                       This switch will traverse directories only if the
                       filename is a directory or is using wildcard characters.
   /E                  Edit ACL instead of replacing it.

   /G user:GUI         Grant security permissions similar to Windows GUI
                       standard (non-advanced) choices.
   /G user:Perm;Spec   Grant specified user access rights.
                       (/G adds to existing rights for user)

                       User: If User has spaces in it, enclose it in quotes.
                             If User contains #machine#, it will replace
                             #machine# with the actual machine name if it is a
                             non-domain controller, and replace it with the
                             actual domain name if it is a domain controller.

                             New to 3.0: User can be a string representing
                             the actual SID, but MUST be lead by SID#
                             Example: SID#S-1-5-21-2127521184-160...
                                      (SID string shown has been shortened)
                                      (If any user has SID# then globally all
                                       matches must match the SID (not name)
                                       so if your intention is to apply changes
                                       to all accounts that match Domain\User
                                       then do not specify SID# as one of the

                       GUI: Is for standard rights and can be:
                                    F  Full control
                                    M  Modify
                                    X  read and eXecute
                                    L  List folder contents
                                    R  Read
                                    W  Write
                             Note: If a ; is present, this will be considered
                             a Perm;Spec parameter pair.

                       Perm: Is for "Files Only" and can be:
                                    F  Full control
                                    M  Modify
                                    X  read and eXecute
                                    R  Read
                                    W  Write
                                    D  Take Ownership
                                    C  Change Permissions
                                    B  Read Permissions
                                    A  Delete
                                    9  Write Attributes
                                    8  Read Attributes
                                    7  Delete Subfolders and Files
                                    6  Traverse Folder / Execute File
                                    5  Write Extended Attributes
                                    4  Read Extended Attributes
                                    3  Create Folders / Append Data
                                    2  Create Files / Write Data
                                    1  List Folder / Read Data
                       Spec is for "Folder and Subfolders only" and has the
                       same choices as Perm.

   /R user             Revoke specified user's access rights.
                       (Will remove any Allowed or Denied ACL's for user.)

   /P user:GUI         Replace security permissions similar to standard choices.

   /P user:perm;spec   Replace specified user's access rights.
                       For access right specification see /G option.
                       (/P behaves like /G if there are no rights set for user.)

   /D user:GUI         Deny security permissions similar to standard choices.
   /D user:perm;spec   Deny specified user access rights.
                       For access right specification see /G option.
                       (/D adds to existing rights for user.)

   /O user             Change the Ownership to this user or group.

   /I switch           Inheritance flag.  If omitted, the default is to not touch
                       Inherited ACL's. Switch can be:
                          ENABLE - This will turn on the Inheritance flag if
                                   it is not on already.
                          COPY   - This will turn off the Inheritance flag and
                                   copy the Inherited ACL's
                                   into Effective ACL's.
                          REMOVE - This will turn off the Inheritance flag and
                                   will not copy the Inherited
                                   ACL's.  This is the opposite of ENABLE.
                          If switch is not present, /I will be ignored and
                          Inherited ACL's will remain untouched.

   /L filename         Filename for Logging. This can include a path name
                       if the file is not under the current directory.
                       File will be appended to, or created if it does not
                       exit. Must be Text file if it exists or error will occur.

                       If filename is omitted, the default name of XCACLS will
                       be used.

   /Q                  Turn on Quiet mode.  By default, it is off.
                       If it is turned on, there will be no display to the screen.

   /DEBUG              Turn on Debug mode. By default, it is off.
                       If it is turned on, there will be more information
                       displayed and/or logged. Information will show
                       Sub/Function Enter and Exit as well as other important

   /SERVER servername  Enter a remote server to run script against.

   /USER username      Enter Username to impersonate for Remote Connections
                            (requires PASS switch).  Will be ignored if it is for a Local Connection.

   /PASS password      Enter Password to go with USER switch
                            (requires USER switch).

Wildcard characters can be used to specify more than one file in a command, such as:
                                *       Any string of zero or more characters
                                ?       Any single character

You can specify more than one user in a command.
You can combine access rights.

Use Xcacls.vbs to View Permissions

您也可以使用 Xcacls.vbs 檢視的檔案或資料夾的權限。 比方說如果您的資料夾,名為 c:\test 輸入下列在命令提示字元中檢視資料夾] 權限,然後按下 ENTER:
xcacls.vbs c:\test
下列範例是典型的 result:
C:\>XCACLS.VBS c:\test
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Starting XCACLS.VBS (Version: 3.4) Script at 6/11/2003 10:55:21 AM

Startup directory:

Arguments Used:
        Filename = "c:\test"

Directory: C:\test

Type     Username                Permissions           Inheritance

Allowed  BUILTIN\Administrators  Full Control          This Folder, Subfolde
Allowed  NT AUTHORITY\SYSTEM     Full Control          This Folder, Subfolde
Allowed  Domain1\User1           Full Control          This Folder Only
Allowed  \CREATOR OWNER          Special (Unknown)     Subfolders and Files
Allowed  BUILTIN\Users           Read and Execute      This Folder, Subfolde
Allowed  BUILTIN\Users           Create Folders / Appe This Folder and Subfo
Allowed  BUILTIN\Users           Create Files / Write  This Folder and Subfo

No Auditing set

Owner: Domain1\User1

附註在這個範例中 xcacls.vbs c:\test 命令的輸出符合圖形化使用者介面 (GUI) 中顯示的文字。在 [命令] 視窗中,某些字不完整。

輸出也會讓指令碼]、 [啟動的目錄] 和 [引數所用的版本。

您也可以使用萬用字元,以顯示相符的檔案目錄下。比方說如果您在輸入下列所有檔案副檔名為.log 」 的都位於的 c:\test 資料夾都會顯示:
xcacls.vbs c:\test\*.log


下列 Xcacls.vbs 命令提供 Xcacls.vbs 使用方式的一些範例。

xcacls.vbs c:\test\/g domain\testuser1:f/f/t/e
這項指令,編輯既有的權限。它會授與 Domain\TestUser1 上 c:\test 下的所有檔案的完整控制權,周遊 c:\test,] 下的子資料夾,然後它變更所找到的任何檔案。這個命令不會變更的目錄。
xcacls.vbs c:\test\/g domain\testuser1:f/s/l c:\xcacls.log"
這個命令會取代現有的權限。它會授與 Domain\TestUser1 C:\Test,] 下的所有子資料夾上的完全控制權,讓登 C:\Xcacls.log。這個命令不會變更檔案,並不會周遊目錄。
xcacls.vbs c:\test\readme.txt/o machinea\group1"
這個指令變更 Readme.txt 被群組 MachineA\Group1 擁有的者。
xcacls.vbs c:\test\badcode.exe / machinea\group1"/ domain\testuser1"
這個命令撤銷權限 C:\Test\Badcode.exe MachineA\Group1 和 Domain\TestUser1。
xcacls.vbs c:\test\subdir1/i 啟用 /q
這個命令會開啟資料夾 C:\Test\Subdir1 上的繼承。它會抑制任何螢幕輸出。
xcacls.vbs \\servera\sharez\testpage.htm/p domain\group2": 14
這個命令從遠端連線到 \\ServerA\ShareZ,藉由使用 Windows 管理檢測 (WMI)。然後取得對該共用的本機路徑,並在該路徑下它變更上 Testpage.htm 權限。它會 Domain\Group2 的既有的權限完整保留,但它會增加 1 (讀取資料) 及 4 (讀取擴充屬性) 的權限。由於不 使用/e 參數,命令卸除檔案上其他的權限。
xcacls.vbs d:\default.htm/g domain\group2": f /server servera/user servera\admin /pass password 密碼/e
這個命令使用 WMI 來作為 ServerA\Admin ServerA 從遠端連線並再授予 Domain\Group2 Default.htm 的權限。Domain\Group2 的現有權限會遺失,而保留檔案的其他使用權限。


如需有關如何使用 Xcacls.exe 的詳細資訊,按一下 [下列面的文件編號,檢視 「 Microsoft 知識庫 」 中的發行項]:
318754  ( ) 如何使用 Xcacls.exe 修改 NTFS 權限

  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition (家用版)
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
kbmt kbhowtomaster KB825751 KbMtzh
重要:本文是以 Microsoft 機器翻譯軟體翻譯而成,而非使用人工翻譯而成。Microsoft 同時提供使用者人工翻譯及機器翻譯兩個版本的文章,讓使用者可以依其使用語言使用知識庫中的所有文章。但是,機器翻譯的文章可能不盡完美。這些文章中也可能出現拼字、語意或文法上的錯誤,就像外國人在使用本國語言時可能發生的錯誤。Microsoft 不為內容的翻譯錯誤或客戶對該內容的使用所產生的任何錯誤或損害負責。Microsoft也同時將不斷地就機器翻譯軟體進行更新。
按一下這裡查看此文章的英文版本:825751  ( )
Microsoft Community 支援論壇
尋找 Microsoft 認證合作夥伴
Microsoft 市集