I only did it in my example because initially, I was using an existing Share that was created using the Sharing Wizard. But I left it in because I wanted to show that how it can be done, as, let's face it,
CACLS is not exactly user friendly, nor unambiguously documented.
Hell, I often forget to add the /e to the command-line, and just blow away the entire ACL, for all but the specific account supplied.
Also, at first glance, it's not obvious what the difference is between the /g and
grant (/g) is suppose to add permissions to any existing ones.
replace permission (/p) is suppose to entirely replace any existing permissions with what your suppling on the command-line now.
But without the /e , apart from blowing away all the permissions from the other accounts, whats the difference between them ? ... my head hurts...
Anyway, what I've learnt is that if CACLS ever asks 'Are you sure', say no ! ...
Oh, and to further clarify, the ACLs are 'stored' in the filesystem, not in the Registry. Kind of like the way a file's size and it's access/modification times are stored.
That's why if you move a Hard Disk between two systems, an Administrator needs to take ownership of files first, before correcting their ACLs - the new system will likely not have the same user accounts setup (user IDs, etc). All good fun...