GiveAccess - Set access permissions on files or folders

GA.exe sets access permissions of one or more files or folders. It is a small program (8 KB) that can be used to adjust permissions during installation by running it in a custom action (QuickInstall 2) or Run Program action (ExpertInstall 3, Installer 5, InstallMate 7).

System requirements: Runs on Windows NT4, 2000, XP, Vista, their Server editions, and later, both 32-bit and 64-bit versions. It does not run on Windows 9x systems, because those systems have no concept of access permissions.

Syntax

GA
GA access name_or_SID path

The first form displays a syntax summary and exits. The second form applies the access permissions to path for the account name or SID name_or_SID.

Parameter Description
GA Name of the program; .exe is implied. You may have to use a fully qualified file path if GA.exe is located in a folder that does not appear in your PATH environment variable.
(none) Display a message box with version info and syntax summary; exit when the user closes the message box.
access

Desired access rights. This can be a combination of the following:

  • A - All rights. Use this parameter on its own to allow name_or_SID full access to the file or folder.
  • D - Delete rights. This allows name_or_SID to delete the file or folder.
  • O - Change ownership. This allows name_or_SID to take ownership of the file or folder.
  • P - Change permissions. This allows name_or_SID to change the access permissions of the file or folder.
  • R - Read rights. This allows name_or_SID to read the file or list the folder's contents.
  • W - Write rights. This allows name_or_SID to take write to or replace the file, or to add files or folders to the folder.
  • X - Execute/Traverse rights. This allows name_or_SID to execute the file or traverse the folder. (Folder traversal allows an account to reach lower level folders or files, even if access to the folder itself is not allowed.)
name_or_SID

Name or SID (Security IDentifier) of the party to whom the rights are conveyed. This must be a name or SID of an existing built-in, local, or domain account.

  • A name can be something like Everyone, "Power Users" (the quotes are required if the name contains spaces), or B\Dave (i.e., the user Dave on the local machine or domain B). Note that built-in names such as Everyone, Administrator and "Power Users" are language-dependent: non-English versions of Windows may use different (translated) names instead. For that reason, we recommend that you use SIDs where possible.
  • A SID has the form S-1-xxx where xxx is a string of numbers separated by hyphens that designates the security authority, subauthority, and principal addressed by the SID. SIDs are particularly useful for built-in and other well-known entities, because they do not depend on the Windows language. The table below lists some commonly used SIDs.

If name_or_SID starts with the sequence S-, then GA interprets it as a security identifier; else it's assumed to be an account name. This implies that GA will fail if you are trying to use an account name that starts with S-.
path Path to the file or folder. This path may contain wildcards; in that case, GA will set the permissions on all matching files or folders. Be sure to "quote" the path if it contains spaces.

Well-known SIDs

The following table lists some well-known security identifiers that you can use for name_or_SID. Consult the MSDN documentation for more.

English name SID Description
Everyone S-1-1-0 The Everyone group; allows access to all users and groups.
Creator Owner S-1-3-0 Pseudo-identifier that represents the account that created the file or folder.
Interactive S-1-5-4 Users who are loggen in for an interactive session.
Authenticated S-1-5-11 All authenticated users.
Users S-1-5-32-545 Local Users group. Note that this is not to the same as Everyone; the Users group only includes accounts that are explicitly added to it (usually designated restricted users).
Power Users S-1-5-32-547 Local Power Users group.
Administrators S-1-5-32-544 Local Administrators group.
Guests S-1-5-32-546 Local Guests group.

Remarks

GA adds the permissions to any existing or inherited permissions. If the target is a folder, then the additional permissions will be inherited by files and subfolders in the folder.

File and folder permissions are only supported on Windows NT-based systems (i.e., NT4, 2000, XP, Vista, and later) that use NTFS as their file system.

GA.exe will not run on Windows 9x systems (i.e., Windows 95, 98, Me) and if you use GA.exe in an installer action, then you should make sure that GA.exe is not run on these systems (for example, by clearing the action's Platforms boxes for Windows 95, 98, Me).

Examples

Here are some usage examples.

GA
Displays a message box with the syntax summary and version info, and exits when the message box is closed.
GA A Everyone *.*
Gives full access to all files and folders in the current folder.
GA A S-1-1-0 *.*
Does the same, but in a language-independent way.
GA RW S-1-5-32-547 Data.mdb
Gives users in the Power Users group read/write access to the file Data.mdb.
GA A S-1-1-0 "<CommonProductAppDataFolder>\Data.mdb"
Gives everyone full access to the Data.mdb file in the product's application data folder. Note the use of quotes to catch any spaces that might result from the expansion of <CommonProductAppDataFolder>.