Fixing profile permissions in Windows XP Home

If you log onto Windows XP Home under an account with Administrator privileges and try to access the files in the profile of another account, you will get an Access Denied error. This is because of how the permissions are set up on the directory tree. In one recent example, I found that the Owner of the directory tree couldn't be displayed, and that the Account that used that profile and the SYSTEM account had Full Control, whereas no other account had any control.

What I would like the permissions to be is for the profile user to be the owner, but for the Administrators group to have Full control. You can't do this (at least, not easily) using the security tab interface in Windows XP Home (either through the Security tab hack for XP Home, or through logging in in Safe Mode) nor through CACLS, XP's built-in command line tool for file permissions.

Instead, I used SetACL, a great tool that I have been using more and more lately. It took me a while to figure out how to accomplish what I wanted, but eventually I came up with the following method of changing the permissions for the whole tree:

1. Change the owner of the profile directory to the Administrators group.
2. Give the Administrators group Full control, and enable permissions propagation for the entire tree.
3. Reset the owner to the account holder.

The syntax of SetACL can be pretty obscure, so here is an example batch file to do the above. The account affected is the Owner account.

setacl.exe -on "C:\Documents and Settings\Owner" -ot file -actn setowner -ownr n:Administrators -rec cont_obj

setacl.exe - -on "C:\Documents and Settings\Owner" -ot file -actn ace -ace "n:Administrators;p:full" -actn rstchldrn -rst dacl

setacl.exe -on "C:\Documents and Settings\Owner" -ot file -actn setowner -ownr n:Owner -rec cont_obj

The above lines wrap, so note that each line starts with setacl.exe.