Greg M wrote:

It's sometimes hard to believe that such a long correspondence can be resolved with just four little lines of code:

Md G:\MyFolder
Net Share MyShare=G:\MyFolder
Cacls G:\MyFolder /e /r Everyone
Cacls G:\MyFolder /e /g Everyone:C

Your unlikely to need the revoke step.

I only did it in my example because initially, I was using an existing Share that was created using the Sharing Wizard. But I left it in because I wanted to show that how it can be done, as, let's face it, CACLS is not exactly user friendly, nor unambiguously documented.

Hell, I often forget to add the /e to the command-line, and just blow away the entire ACL, for all but the specific account supplied.

Also, at first glance, it's not obvious what the difference is between the /g and /p switches:
  • grant (/g) is suppose to add permissions to any existing ones.
  • replace permission (/p) is suppose to entirely replace any existing permissions with what your suppling on the command-line now.
But without the /e , apart from blowing away all the permissions from the other accounts, whats the difference between them ? ... my head hurts...

Anyway, what I've learnt is that if CACLS ever asks 'Are you sure', say no ! ... Wink

Oh, and to further clarify, the ACLs are 'stored' in the filesystem, not in the Registry. Kind of like the way a file's size and it's access/modification times are stored.

That's why if you move a Hard Disk between two systems, an Administrator needs to take ownership of files first, before correcting their ACLs - the new system will likely not have the same user accounts setup (user IDs, etc). All good fun...