XCACLS.vbs es un script que nos permite, ver, modificar y eliminar permisos NTFS en Windows.
Lo primero que debemos hacer es descargar el script desde: http://download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/XCacls_Installer.exe
Una vez descargado el programa, debemos ejecutar el instalador y extraer todos los archivos en la carpeta donde tenemos instalado el S.O. (por ejemplo: C:\WINDOWS)
Para que funcione en Windows Server 2008 debemos abrir el fichero con el notepad:
C:\notepad c:\windows\XCACLS.vbs
Buscar la function "IsOsSupported()" y editarla para que soporte la versión 6.0 (Windows Server 2008)
Añadir: , "6.0"
Luego cambiaremos el motor de secuencias de comandos predeterminado, de WSCRIPT a CSCRIPT, esto debido a que XCACLS.vbs trabaja mejor con Cscript. Para eso escribiremos el siguiente comando en Ejecutar:
cscript.exe /h:cscript
Para utilizar el script, debemos abrir una nueva consola de línea de comandos (cmd) e ir hasta el directorio c:\WINDOWS.
cd c:\WINDOWS
Luego ejecutaremos
cscript.exe xcacls.vbs
Ahora crearemos una carpeta en el disco c: llamada Carpeta1
mkdir C:\Carpeta1
Ahora veremos los permisos NTFS predeterminados para esa carpeta:
C:\WINDOWS> xcacls.vbs C:\Carpeta1
Microsoft (R) Windows Script Host versión 5.6 Copyright (C) Microsoft Corporation 1996-2001. Reservados todos los derechos. Starting XCACLS.VBS (Version: 5.2) Script at 10/11/2011 8:14:02 Startup directory: "C:\WINDOWS" Arguments Used: Filename = "c:\carpeta1" ************************************************************************** Directory: C:\carpeta1 Permissions: Type Username Permissions Inheritance Allowed BUILTIN\Administradores Full Control This Folder, Subfolde Allowed NT AUTHORITY\SYSTEM Full Control This Folder, Subfolde Allowed BUILTIN\Administradores Full Control This Folder Only Allowed \CREATOR OWNER Special (Unknown) Subfolders and Files Allowed BUILTIN\Usuarios Read and Execute This Folder, Subfolde Allowed BUILTIN\Usuarios Advanced (Create Fold This Folder and Subfo Allowed BUILTIN\Usuarios Advanced (Create File This Folder and Subfo No Auditing set Owner: BUILTIN\Administradores ************************************************************************** Operation Complete Elapsed Time: 0,359375 seconds. Ending Script at 10/11/2011 8:14:02 |
Podemos observar el tipo de permiso, el usuario (o grupo) el permiso y la herencia.
Lo que necesitamos ahora, es ver el manual de ayuda que trae XCACLS.vbs, para eso escribiremos lo siguiente:
C:\WINDOWS> xcacls.vbs /?
Displays or modifies access control lists (ACLs) of files & directories XCACLS filename [/E] [/G user:perm;spec] [...] [/R user [...]] [/F] [/S] [/T] [/P user:perm;spec [...]] [/D user:perm;spec] [...] [/O user] [/I ENABLE/COPY/REMOVE] [/N [/L filename] [/Q] [/DEBUG] filename [Required] If used alone, it Displays ACLs. (Filename can be a filename, directory name or wildcard characters and can include the entire path. If path is missing, its assumed to be under the current directory. Notes: - Put filename in quotes if it has spaces or special characters such as &, $, #, etc. - If Filename is a directory, all files and sub directories under it will NOT be changed unless the /F or /S is present. /F [Used with Directory or Wildcard] This will change all files under the inputed directory but will NOT traverse sub directories unless /T is also present. If filename is a directory, and /F is not used, no files will be touched. /S [Used with Directory or Wildcard] This will change all sub folders under the inputed directory but will NOT traverse sub directories unless /T is also present. If filename is a directory, and /S is not used, no sub directories will be touched. /T [Used only with a Directory] Traverses each subdirectory and makes the same changes. This switch will traverse directories only if the filename is a directory or is using wildcards. /E Edit ACL instead of replacing it. /G user:GUI Grant security permissions similar to Windows GUI standard (non-advanced) choices. /G user:Perm;Spec Grant specified user access rights. (/G adds to existing rights for user) User: If User has spaces in it, surround it in Quotes If User contains #machine#, it will replace #machine# with the actual machine name if its a non-domain controller, and replace it with the actual domain name if it is a domain controller. New to 3.0: User can be a string representing the actual SID, but MUST be lead by SID# Example: SID#S-1-5-21-2127521184-160... (SID string shown has been shortened) (If any user has SID# then globaly all matches must match the SID (not name) so if your intention is to apply changes to all accounts that match Domain\User then do not specify SID# as one of the users) GUI: Is for standard rights and can be: Permissions... F Full control M Modify X read & eXecute L List folder contents R Read W Write Note: If a ; is present, this will be considered a Perm;Spec parameter pair Perm: Is for "Files Only" and can be: Permissions... F Full control M Modify X read & eXecute R Read W Write Advanced... E Synchronize D Take Ownership C Change Permissions B Read Permissions A Delete 9 Write Attributes 8 Read Attributes 7 Delete Subfolders and Files 6 Traverse Folder / Execute File 5 Write Extended Attributes 4 Read Extended Attributes 3 Create Folders / Append Data 2 Create Files / Write Data 1 List Folder / Read Data Spec is for "Folder and Subfolders only" and has the same choices as Perm. /R user Revoke specified user's access rights. (Will remove any Allowed or Denied ACL's for user) /P user:GUI Replace security permissions similiar to standard choices /P user:perm;spec Replace specified user's access rights. For access right specification see /G option (/P acts like /G if there are no rights set for user) /D user:GUI Deny security permissions similiar to standard choices. /D user:perm;spec Deny specified user access rights. For access right specification see /G option (/D adds to existing rights for user) /O user Change the Ownership to this user or group. /I switch Inheritance flag, if omitted default is to not touch Inherited ACL's. Switch can be: ENABLE - This will turn on the Inheritance Flag if its not on already. COPY - This will turn off the Inheritance flag and copy the Inherited ACL's into Effecive ACL's REMOVE - This will turn off the Inheritance flag and will not copy the Inherited ACL's, this is the opposite of ENABLE If switch is not present, /I will be ignored and Inherited ACL's will remain untouched. /SPEC switch Special Permission for Folder and Subfolders only If this switch is used, and the object is a folder, then one of the switches below would be used instead of the default. A - This Folder Only B - This Folder, Subfolders and Files (Default) C - This Folder and Subfolders D - This Folder and Files E - Subfolders and Files Only F - Subfolders Only G - Files Only /L filename Filename for Logging. This can include a path name if the file isn't under the current directory. File will be appended to, or created if it doesn't exit. Must be Text file if it exists or error will occur. If filename is obmitted the default name of XCACLS will be used. /Q Turn on Quiet mode, its off by default. If its turned on, there will be no display to the screen. /DEBUG Turn on Debug mode, its off by default. If its turned on, there will be more information displayed and/or logged. Information will show Sub/Function Enterand Exit as well as other important information. /TIMEWMI Turn on to Time WMI use, only shows up in Debug Mode. /SERVER servername Enter a remote server to run script against. /USER username Enter Username to impersonate for Remote Connections (Requires PASS switch) - Will be ignored if its for a Local Connection. /PASS password Enter Password to go with USER switch (Requires USER switch) Wildcards can be used to specify more than one file in a command. Such as: * Any string of zero or more characters ? Any single character You can specify more than one user in a command. You can combine access rights. Operation Complete Elapsed Time: 0,015625 seconds. Ending Script at 10/11/2011 8:05:19 |
Este manual de ayuda, nos muestra los distintos parámetros que podemos utilizar con XCACLS.vbs.
Vamos a ver algunos ejemplos.
XCACLS.vbs c:\Carpeta1 /g tarija\grupo1:r tarija\grupo1:w /f /t /e
Desglosemos este ejemplo.
El parámetro /G o /g (indistinto) indica que cambiaremos permisos. En este caso daremos el permiso (primero) de lectura al grupo1 (del dominio tarija) y posteriormente de escritura al mismo grupo.
Utilizando el parámetro /F cambiaremos todos los archivos que estén en el directorio. Si utilizamos además el parámetro /T en conjunto con éste, recorrerá (además) todos los subdirectorios.
Utilizando el parámetro /F cambiaremos todos los archivos que estén en el directorio. Si utilizamos además el parámetro /T en conjunto con éste, recorrerá (además) todos los subdirectorios.
El parámetro /E indica que modificaremos la ALC (Lista de control de acceso) en vez de reemplazarla. Esto significa que los permisos que tiene la carpeta se mantendrán y se añadirá una nueva entrada en la ACL.
El resultado se muestra a continuación:
Microsoft (R) Windows Script Host versión 5.6 Copyright (C) Microsoft Corporation 1996-2001. Reservados todos los derechos. Starting XCACLS.VBS (Version: 5.2) Script at 10/11/2011 9:11:51 Startup directory: "C:\WINDOWS" Arguments Used: Filename = "c:\Carpeta1" /F (All Files under current directory) /T (Traverse Directories) /E (Edit ACL leaving other users intact) /G (Grant rights) tarija\grupo1:R tarija\grupo1:W ************************************************************************** Directory: C:\carpeta1 Granting NTFS rights (R access for This Folder, Subfolders and Files) for "TARIJA\Grupo1" Granting NTFS rights (W access for This Folder, Subfolders and Files) for "TARIJA\Grupo1" Completed successfully. ************************************************************************** Operation Complete Elapsed Time: 0,65625 seconds. Ending Script at 10/11/2011 9:11:51 |
Veamos otro ejemplo utilizando otros parámetros:
xcacls.vbs c:\Carpeta1 /g tarija\usuario1:f tarija\usuario2:r /s /l "c:\permisos.log"
Microsoft (R) Windows Script Host versión 5.6 Copyright (C) Microsoft Corporation 1996-2001. Reservados todos los derechos. Starting XCACLS.VBS (Version: 5.2) Script at 10/11/2011 9:20:49 Startup directory: "C:\WINDOWS" Arguments Used: Filename = "c:\Carpeta1" /S (All Sub Directories under current directory) /G (Grant rights) tarija\usuario1:F tarija\usuario2:R /L (File: "c:\permisos.log") ************************************************************************** Directory: C:\carpeta1 Granting NTFS rights (F access for This Folder, Subfolders and Files) for "TARIJA\usuario1" Granting NTFS rights (R access for This Folder, Subfolders and Files) for "TARIJA\usuario2" Completed successfully. ************************************************************************** Error 70: occurred while in the DoTheWorkOnEverythingUnderDirectory routine. (M sg#204) Error description: Permiso denegado Operation Complete Elapsed Time: 0,515625 seconds. Ending Script at 10/11/2011 9:20:49 |
En este ejemplo, en todas las subcarpetas damos el permiso de control total al usuario1 del dominio tarija, al usuario2 el permiso de lectura, además reemplazamos los permisos existentes en la ACL y registramos lo realizado en el archivo C:\permisos.log. Este comando no recorre ni toca directorios ni archivos que el directorio esté albergando.
Vamos a cambiar el propietario de la carpeta
xcacls.vbs c:\Carpeta1 /o "tarija\grupo1"
Microsoft (R) Windows Script Host versión 5.6 Copyright (C) Microsoft Corporation 1996-2001. Reservados todos los derechos. Starting XCACLS.VBS (Version: 5.2) Script at 10/11/2011 9:23:59 Startup directory: "C:\WINDOWS" Arguments Used: Filename = "c:\Carpeta1" /O (Change Ownership) tarija\grupo1 ************************************************************************** Directory: C:\carpeta1 Changing Ownership to "TARIJA\Grupo1" Completed successfully. ************************************************************************** Operation Complete Elapsed Time: 0,296875 seconds. Ending Script at 10/11/2011 9:23:59 |
En este ejemplo el grupo1 del dominio tarija será el propietario de la Carpeta.
Para cambiar el propietario de un archivo, se utiliza la misma sintaxis.
El propietario puede ser un usuario o un grupo.
En el siguiente ejemplo modificaremos los permisos para la Carpeta2, añadiendo al grupo1 con control total, al usuario1 con modificar, leer y escribir y al usuario2 ejecutar.
Además, mantendremos la ACL actual.
XCACLS.vbs c:\Carpeta2 /g tarija\grupo1:f tarija\usuario1:m tarija\usuario2:x tarija\usuario1:r tarija\usuario1:w /f /t /e
Microsoft (R) Windows Script Host versión 5.6 Copyright (C) Microsoft Corporation 1996-2001. Reservados todos los derechos. Starting XCACLS.VBS (Version: 5.2) Script at 10/11/2011 9:57:19 Startup directory: "C:\WINDOWS" Arguments Used: Filename = "c:\Carpeta2" /F (All Files under current directory) /T (Traverse Directories) /E (Edit ACL leaving other users intact) /G (Grant rights) tarija\grupo1:F tarija\usuario1:M tarija\usuario2:X tarija\usuario1:R tarija\usuario1:W ************************************************************************** Directory: C:\carpeta2 Granting NTFS rights (F access for This Folder, Subfolders and Files) for "TARIJA\Grupo1" Granting NTFS rights (M access for This Folder, Subfolders and Files) for "TARIJA\usuario1" Granting NTFS rights (X access for This Folder, Subfolders and Files) for "TARIJA\usuario2" Granting NTFS rights (R access for This Folder, Subfolders and Files) for "TARIJA\usuario1" Granting NTFS rights (W access for This Folder, Subfolders and Files) for "TARIJA\usuario1" Completed successfully. ************************************************************************** Operation Complete Elapsed Time: 0,5 seconds. Ending Script at 10/11/2011 9:57:19 |
En este ejemplo revocaremos permisos en la carpeta1 para el grupo1
XCACLS.vbs c:\Carpeta2 /r tarija\grupo1 /e
Microsoft (R) Windows Script Host versión 5.6 Copyright (C) Microsoft Corporation 1996-2001. Reservados todos los derechos. Starting XCACLS.VBS (Version: 5.2) Script at 10/11/2011 9:47:39 Startup directory: "C:\WINDOWS" Arguments Used: Filename = "c:\Carpeta2" /E (Edit ACL leaving other users intact) /R (Revoke rights) tarija\grupo1 ************************************************************************** Directory: C:\carpeta2 Revoking rights for existing user "TARIJA\Grupo1" Revoking rights for existing user "TARIJA\Grupo1" Completed successfully. ************************************************************************** Operation Complete Elapsed Time: 0,5625 seconds. Ending Script at 10/11/2011 9:47:39 |
Es importante utilizar el parámetro /e para modificar la ACL y no así reemplazarla.
Para activar la herencia en una carpeta:
xcacls.vbs c:\Carpeta2 /i enable /q
Para desactivar la herencia pero copiar los permisos aplicados hasta el momento
xcacls.vbs c:\carpeta2 /i copy /q
Para desactivar completamente la herencia y eliminar los permisos aplicados hasta el momento:
xcacls.vbs c:\carpeta2 /i remove /q
A partir de acá, todo lo demás es muy intuible.
Saludos y hasta la próxima! J
Holiwis :*
ResponderEliminar