Office SharePoint Server 2007 : Search : Configuring NTFS permissions for NTFS file share/ folders (that don’t inherit permissions) for the search default content access account (xCacls)

Here is a step by step guide (I had to write it up anyway J ) to configuring permissions for the search default content access account for NTFS folders that have many folders and files that don’t inherit permissions on your network.


1.       Download XcAcls.exe  (cAcls is depreciated and does not support batch files)

This command-line tool allows you to set all file system security options that are accessible in Windows Explorer. XcAcls does this by displaying and modifying the access control lists (ACLs) of files. XcAcls is especially useful in unattended installations of Microsoft Windows 2000 Professional or Server. By using this tool, you can set the initial access rights for folders in which the operating system resides.


2.       Install tool using setup program


3.       Configure environment variable so that you can call xcAcls from any folder in command prompt


·         Navigate to the install location: e.g. “C:\Program Files\Resource Kit” and copy this path into your clipboard.

·         Open up your machine’s environmental variables (Right Click my Computer, Properties )

·         Open the Path variable and append the install location to the path. Be sure to add a trailing semi colon.

·         Hit Ok 3 times.





4.       Add the default search access account using the xCacls utility.

a.       Fire up a command prompt. Ensure that it is running under user privileges that have access rights to the folder structure you want to change.

·   To fire up a command prompt in a specific user context : “runas /user Domain\username”. E.g. “runas /user CORPDOMAIN\networkfileshareadminaccount”



For the exact meaning of each parameter:


·         /T recursively walks through the current folder and all of its subfolders, applying the chosen access rights to the matching files or folders.

·         /E edits the ACL instead of replacing it. For example, only the administrator will have access to the Test.dat file if you run the XCACLS test.dat /G Administrator:F command. All ACEs applied earlier are lost.

·         /C causes Xcacls.exe to continue if an “access denied” error message occurs. If /C is not specified, Xcacls.exe stops on this error.

·         /G user:perm;spec grants a user access to the matching file or folder.


o   R Read

o   C Change (write)

o   F Full Control

o   P Change Permissions (special access)

o   Take Ownership (special access)

o   X EXecute (special access)

o   E REad (Special access)

o   W Write (Special access)

o   D Delete (Special access)


·         /Y disables confirmation when replacing user access rights. By default, CACLS asks for confirmation. Because of this feature, when CACLS is used in a batch routine, the routine stops responding until the right answer is entered. The /Y option was introduced to avoid this confirmation, so that Xcacls.exe can be used in batch mode.


Result : All folder and files below and including the parent folder (e.g. basefolder) will be have the specified account added to their security settings. This includes files and folders that are set to not inherit permissions from their parent.


Please don’t forget to test first on isolated folder structure first.

Comments (1)

  1. Roger Crawford says:

    Excellent. Thought I was the only one who configures folders unders shares like this.