The syntax of this command is:
NET PERMS resource [/GRANT name:permissions[ ...] |
/CHANGE name:permissions[ ...] | /REVOKE name[ ...] |
/TAKE]
This command displays or modifies resource permissions and ownership
information on servers. The resources on which this command currently
operates are shares, directories, and files.
COMMENTS
You must supply a resource name when using this command.
Use the "net perms" command to secure network resources by specifying
who can use each resource and how. This command allows the user
to set and modify permissions for users and groups on a resource,
and to take ownership of the resource.
When the server displays resource permissions, it designates groups
with an asterisk ( * ).
When no options other than resource name are specified, the command
lists the permissions and ownership information for the resource.
This command can also be typed as "net perm".
If used on a local share resource, the output of "net perms \\users"
will look similar to the following:
Resource: \users
Owner:
Name: Permissions:
--------------------------------------------------------------------------
*Everyone FullControl(All)
If used on a directory or file resource the output of
"net perms c:/home/lanman" will look similar to the following:
Resource: c:\home\lanman
Owner: sales_dom\Administrators
Name: Permissions:
-----------------------------------------------------------------------
*Account Operators Change(RWXD)(RWXD)
*Administrators FullControl(All)(All)
*Server Operators Change(RWXD)(RWXD)
*Everyone Read(RX)(RX)
*SYSTEM FullControl(All)(All)
You can specify combinations of individual permissions (for example,
RWX for a file or RWX:RX for a directory) or standard permissions (for
example, Change for a file or Add for a directory) for user or groups
on the files and directories. You can set only standard permissions
(for example, Read) on the shares.
The following list shows the types of permissions that can be assigned
for a user's or group's access to shares, directories and files, and what
each permission allows a user to do:
Code Permission
_______________ ____________________________________________
INDIVIDUAL PERMISSIONS(Directory or File)
R (Read) User can display the file's data, attributes
and its owner and permissions.
W (Write) User can change data in and append data to
the file, change the file's attributes
and display its owner and permissions.
D (Delete) User can delete the file.
X (Execute) User can run the file if it is an application,
change the file's attributes and display its
owner and permissions.
P (Change Permissions) User can change permissions on the file.
O (Take ownership) User can take ownership of the file.
STANDARD PERMISSIONS (Directory)
NoAccess User cannot access the directory in any way,
even if the user is a member of a group
that has been granted access to the directory.
List User can only list the files and subdirectories
in this directory and change to a subdirectory
of this directory. User cannot access files in
the directory.
Read User can read the contents of files in this
directory and run application in the
directory.
Add User can add files to the directory but cannot
read the contents of current files, change
them, or list the files.
AddRead User can add files to the directory and read
current files but cannot change files.
Change User can read and add files and change the
contents of current files.
FullControl User can read and change files, add new ones,
change permissions for the directory and its
files, and take ownership of the directory and
its files.
STANDARD PERMISSIONS (File)
NoAccess User cannot access the file in any way, even
if the user is a member of a group that has
been granted access to the file.
Read User can read the contents of the file and run
it if it is an application.
Change User can read, modify and delete the file.
If the file is an application, the user can
run it.
FullControl User can read, modify, delete, set permissions
for, and take ownership of the file. If the
file is an application, user can run it.
STANDARD PERMISSIONS (Share)
NoAccess User cannot access the shared directory itself
and the files and subdirectories in it in any
way, even if the user is a member of a group
which has been granted access to the share.
Read User can display the names of subdirectories
and files on the share, display the data and
attributes of files, run program files and
go to the directories on the share.
Change User can read, write and delete directories
and files on the share, can change attributes
of files and directories on the share and
run program files.
FullControl User can read, write and delete directories
and files on the share, can change attributes
of files and directories, run program files
and change permissions on the share itself
and on its directories and files.
Displaying of Directory Permissions:
When a directory permission is displayed, two sets of abbreviations
for individual permissions are displayed next to it: the permissions
set on the directory and the permissions which files in this directory
will inherit. For example, when AddRead permission is set, you
see (RWX), signifying Read, Write and Execute permissions on the
directory, and (RX) signifying Read and Execute permission on which
will be inherited by files in the directory.
When directory permission is shown as "Special Access", this means
that the combination of directory and file individual permissions on
this directory does not correspond to any of the standard directory
permissions.
When access to the files in the directory is shown as (NotSpecified),
that group or user cannot use files in the directory, unless access
is granted by another means, for example, by setting permissions that
grant access to individual files.
An asterisk(*) following the set of directory permissions, for example,
(All)*, indicates that subdirectories do not inherit the permissions
granted to that group.
Setting of Directory Permissions:
To set a standard permission on a directory, simply type the standard
permission's name. For example, to set a Read permission for user
"stevej", type "stevej:read".
You can also set a combination of individual permissions on a directory.
It is possible to specify permissions for a directory itself and
permissions to be inherited by the files in this directory separately.
These permissions should be separated by a colon. For example, to
set RDPO permission to the directory itself, and RW permission for the
files in this directory for the user "stevej", type "stevej:rdpo:rw".
By default, permissions on the directory itself will be inherited by
its subdirectories. If you do not want to have permissions on the
directory to be inherited by its subdirectories, specify an asterisk
next to a directory permission. For example, to prevent subdirectories
from inheriting directory permissions in the example above, type:
"stevej:rdpo*:rw".
Displaying of File and Share Permissions:
When a file or share permission is displayed, an abbreviation for
individual permissions corresponding to this file or share permission
appears next to it.
When file permission is shown as "Special Access", this means
that the combination of individual file permissions on this
file does not correspond to any of the standard file permissions.
To set a standard file permission or a share permission just type the
name of the permission. For example, to set a FullControl permission
for user Administrator, type "administrator:fullcontrol".
To set a combination of individual permissions on the file, type the
abbreviations for these permissions, such as "user1:rxp" to grant
Read, Execute and Change Permissions permissions to user1.
NOTE: Groups or users granted FullControl permission on a directory
can delete files in that directory no matter what permissions
protect the files.
EXAMPLES
At a UNIX system console, to grant "Add" permission for the user
"mikeg", RWXD permission for the directory itself and RX permission
for the files to inherit for the group "Server Operators",
and "FullControl" permission for the group "Users", to the "/tmp"
directory on the local server, type the following:
net perms c:/tmp /grant mikeg:add "server operators":rwxd:rx
users:fullcontrol
At a UNIX system console, to grant "Read" permission for the group
"sales" and "NoAccess" permission for the user "nobody" from the
market_dom to the file "f1", residing on the share "share1" of
the local server, type the following:
net perms \\share1\\f1 /grant sales:read market_dom\\nobody:noaccess
To grant RXP permission to the directory, no inheritable permissions
for the subdirectory, and RD permission to be inherited by the files
in the directory, for the user "joanl" on the root directory of the
share "sales_share" of the server "product_asu", type the following:
net perms \\\\product_asu\\sales_share\\ /grant joanl:rxp*:rd
To change permissions on the directory "dir"on the share "share" on the
server "server1" for user "jennyt" to "FullControl", type the following:
net perms \\\\server1\\share\\dir /change jennyt:fullcontrol
To delete user "stevej" from the access list for the share "share1" on
the local server, type the following:
net perms \\share1 /revoke stevej
SEE ALSO
For information about See
_____________________ _________
Getting help with network commands net help
Auditing the usage of the resource net auditing
Managing user accounts net user
Backup and primary domain controllers net accounts
Global groups net group
Local groups net localgroup
To get Help on command options, type "net help {command} /options | more".
To get Help one screen at a time, type "net help {command} | more".