Re: Trouble with XCACLS.VBS and denying Execute access

From: Roger Abell (
Date: 12/29/04

Date: Wed, 29 Dec 2004 01:59:50 -0700

Hi Gordon,

I can repro much of what you report, just have not looked at
the log to see the part about non-recurse, but that seems in line
with what I mentioned in earlier thread about how it seemed
/t was being handled by inheritance rather than actual recurse.

Strange how use of the shortcut in the xcacls.vbs set folder
just silently fails to open the target.
Also, I notice that I am not allowed to delete the shortcut in
the dir where xcacls.vbs has perms set per your xcacls spec even
though ACL editor clearly shows this is granted and not denied.
Further, I seem to have ruled out this being an interference due
to the profiles being special folders, as this can repro in any
old directory.

I do not have my ACL low-level dump tools installed here,
but tomorrow will repro on a box with them and look at the
SD in detail, as there must be differences within.

Note that the two grants to %userdomain%\%username% of
Full Control (This Folder and Subfolders only)
Special [Everything but Traverse Folders / Execute File]  (Files Only)
are functionally equivalent to the following two grants
Full Control (This Folder and Subfolders only)
Special [Everything but Traverse Folders / Execute File]  (This folder,
subfolders and files)
"Gordon Fecyk" <> wrote in message
> Several threads ago I asked about changing the default ACL for a user's
> profile.  This was an attempt to stop executables coming from the net,
> including exploits that could work somehow as limited users.
> I've run into a brick wall regarding changing the permissions
> programatically on Windows 2000 Professional.  I can do it, but the end
> result is not the same as it is if done through the Win2K Security GUI.
> The objective is to change the ACLs in %userprofile% so they look like
> %userdomain%\%username%: Full Control (This Folder and Subfolders only)
> %userdomain%\%username%: Special [Everything but Traverse Folders /
> File]
>                                       (Files Only)
> BUILTIN\Administrators:  Full Control (This Folder, Subfolders and Files)
> NT AUTHORITY\SYSTEM:     Full Control (This Folder, Subfolders and Files)
> %userdomain% (which can also mean the local computer) and %username%
> represent the current user and %userprofile% represents this user's
> Documents and Settings folder.
> If I change the permissions to look like those above through the GUI, the
> system behaves exactly as I want it to.  That is, everything works
> (including shortcuts, the Send To menu and the Quick Launch toolbar)
> opening an executable returns "Access is Denied."  Try this for yourself:
> Copy notepad.exe to your desktop and attempt to open it to observe the
> desired behaviour.
> Now I'm attempting to do this programatically with xcacls.vbs.  I've been
> a support ticket with Microsoft Support over this and we can't seem to get
> it right.  The end result LOOKS correct if I view it all with the GUI, but
> shortcuts stop working.  Sometimes, I lose visibility of the shortcuts
> entirely.
> The command lines I'm attempting this in are as follows:
> cscript Xcacls.vbs "%userprofile%" /T /E /Q /L /SPEC C /P
> "%userdomain%\%username%":F
> cscript Xcacls.vbs "%userprofile%" /T /E /Q /L /G
> "%userdomain%\%username%":12345789ABCDE
> The first line REPLACES the ACL (/P) for the current user with the Full
> rol permissions I want for this folder and subfolders (/SPEC C).  The
> line ADDS (/G) the Special permissions I want for files only (note the
> absence of /SPEC).  Notice that "6" (Traverse / Execute) is missing.
> I suspect that when I replace the original ACL that the change isn't
> propagating out, because the /T switch generates an "Access is Denied"
> according to the logs if I also do /L.  Then when I add the second ACL,
> change also isn't propagating out.  I've effectively locked myself out of
> all of my files.  I can restore access with the GUI.
> I've also tried this:
> cscript Xcacls.vbs "%userprofile%" /T /E /Q /L /G
> "%userdomain%\%username%":12345789ABCDE;123456789ABCDE
> According to the documentation for xcacls.vbs, the first set of switches
> (everything but Traverse / Execute) is for "Files Only" and the second set
> (absolutely everything) is for "This Folder and Subfolders".  In practice,
> the second set of switches is only valid for "This Folder Only" which
> out all of the subfolders.  The change does not propagate even though I
> /T.
> So I need to figure out what the GUI is doing that xcacls.vbs isn't, and
> make it do that.
> I also tried adding a Deny (/D %username%:6) instead of doing two Allows.
> If I do that I end up disabling all shortcuts again.  Adding a Deny
> Traverse/Execute for Files Only through the GUI does the same thing.
> -- 
> PGP key (0x0AFA039E): <>
> What's a PGP Key?  See <>