GiveAccess - Set access permissions on files or folders

GA.exe sets access permissions of one or more files or folders, or on registry keys. It is a small program (9 KB) that can be used to adjust permissions during installation by running it in a custom action (QuickInstall 2) or Run Program action (ExpertInstall 3, Installer 5, InstallMate 7, InstallMate 9).

Terms of use

You may freely use this program for personal or internal business uses only. You may not incorporate the program either wholly or in part into any product or publication, or otherwise distribute the program without express written permission from Tarma Software Research Pty Ltd. However, you may provide links to this program's web page.

As a special exception, Tarma Software Research Pty Ltd hereby allows you to incorporate and distribute GA.exe with installers that you create with InstallMate 9, InstallMate 7, Tarma Installer 5, Tarma ExpertInstall 3, or Tarma QuickInstall 2.

Tarma Software Research Pty Ltd is not liable for errors or omissions in this program.

Download

Download GiveAccess (version 22.4.1.4715, 27 November 2012)

Contents: The download archive contains the following versions of the GiveAccess tool:

File name	Description
GA.exe	32-bit version of GiveAccess; intended for distribution and use on 32-bit Windows systems.
GA-Debug.exe	32-bit debug version of GiveAccess; intended for diagnostic and testing use (only) on 32-bit Windows systems. Not intended for redistribution.
GAx64.exe	64-bit version of GiveAccess; intended for distribution and use on x64 Windows systems (not suitable for IA64 systems).
GAx64-Debug.exe	64-bit debug version of GiveAccess; intended for diagnostic and testing use (only) on x64 Windows systems (not suitable for IA64 systems). Not intended for redistribution.

System requirements: Runs on Windows NT4, 2000, XP, Vista, 7, 8, their Server editions, and later, both 32-bit and 64-bit versions. It does not run on Windows 9x systems, because those systems have no concept of access permissions.

Syntax

GA
GA access name_or_SID path

The first form displays a syntax summary and exits. The second form applies the access permissions to path for the account name or SID name_or_SID.

Parameter	Description
GA	Name of the program; .exe is implied. You may have to use a fully qualified file path if GA.exe is located in a folder that does not appear in your PATH environment variable.
(none)	Display a message box with version info and syntax summary; exit when the user closes the message box.
access	Desired access rights. This can be a combination of the following: A - All rights. Use this parameter on its own to allow name_or_SID full access to the file or folder. D - Delete rights. This allows name_or_SID to delete the file or folder. O - Change ownership. This allows name_or_SID to take ownership of the file or folder. P - Change permissions. This allows name_or_SID to change the access permissions of the file or folder. R - Read rights. This allows name_or_SID to read the file or list the folder's contents. W - Write rights. This allows name_or_SID to take write to or replace the file, or to add files or folders to the folder. X - Execute/Traverse rights. This allows name_or_SID to execute the file or traverse the folder. (Folder traversal allows an account to reach lower level folders or files, even if access to the folder itself is not allowed.)
name_or_SID	Name or SID (Security IDentifier) of the party to whom the rights are conveyed. This must be a name or SID of an existing built-in, local, or domain account. A name can be something like Everyone, "Power Users" (the quotes are required if the name contains spaces), or B\Dave (i.e., the user Dave on the local machine or domain B). Note that built-in names such as Everyone, Administrator and "Power Users" are language-dependent: non-English versions of Windows may use different (translated) names instead. For that reason, we recommend that you use SIDs where possible. A SID has the form S-1-xxx where xxx is a string of numbers separated by hyphens that designates the security authority, subauthority, and principal addressed by the SID. SIDs are particularly useful for built-in and other well-known entities, because they do not depend on the Windows language. The table below lists some commonly used SIDs. If name_or_SID starts with the sequence S-, then GA interprets it as a security identifier; else it's assumed to be an account name. This implies that GA will fail if you are trying to use an account name that starts with S-.
path	Path to the file or folder, or to a registry key. If you are specifying a file or folder path, the path may contain wildcards; in that case, GA will set the permissions on all matching files or folders. If you are specifying a registry key path, the path must start with one of the following: CLASSES_ROOT\, CURRENT_USER\, or MACHINE\ (for, respectively, HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, or HKEY_LOCAL_MACHINE) and may not contain wildcards. Be sure to "quote" the path if it contains spaces.

Well-known SIDs

The following table lists some well-known security identifiers that you can use for name_or_SID. Consult the MSDN documentation for more.

English name	SID	Description
Everyone	S-1-1-0	The Everyone group; allows access to all users and groups.
Creator Owner	S-1-3-0	Pseudo-identifier that represents the account that created the file or folder.
Interactive	S-1-5-4	Users who are loggen in for an interactive session.
Authenticated	S-1-5-11	All authenticated users.
Users	S-1-5-32-545	Local Users group. Note that this is not to the same as Everyone; the Users group only includes accounts that are explicitly added to it (usually designated restricted users).
Power Users	S-1-5-32-547	Local Power Users group.
Administrators	S-1-5-32-544	Local Administrators group.
Guests	S-1-5-32-546	Local Guests group.

Remarks

GA adds the permissions to any existing or inherited permissions. If the target is a folder or a registry key, then the additional permissions will be inherited by files and subfolders in the folder (in the case of a folder) or the subkeys (in case of a registry key).
File and folder permissions are only supported on Windows NT-based systems (i.e., NT4, 2000, XP, Vista, 7, 8, and later) that use NTFS as their file system. Registry key permissions are only supported on Windows NT-based systems.
On 64-bit Windows systems you must use the x64 version of GA.exe to access the 64-bit view of the registry. If you use the 32-bit version of GA.exe on a 64-bit Windows system, the tool will try to modify the 32-bit registry keys, not the 64-bit keys.
GA.exe will not run on Windows 9x systems (i.e., Windows 95, 98, Me) and if you use GA.exe in an installer action, then you should make sure that GA.exe is not run on these systems (for example, by clearing the action's Platforms boxes for Windows 95, 98, Me).

Examples

Here are some usage examples.

GA: Displays a message box with the syntax summary and version info, and exits when the message box is closed.
GA A Everyone *.*: Gives full access to all files and folders in the current folder.
GA A S-1-1-0 *.*: Does the same, but in a language-independent way.
GA RW S-1-5-32-547 Data.mdb: Gives users in the Power Users group read/write access to the file Data.mdb.
GA A S-1-1-0 "<CommonProductAppDataFolder>\Data.mdb": Gives everyone full access to the Data.mdb file in the product's application data folder. Note the use of quotes to catch any spaces that might result from the expansion of <CommonProductAppDataFolder>.
GA A S-1-1-0 MACHINE\Software\Microsoft\Windows\CurrentVersion: Gives everyone full access to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion registry key and all of its subkeys (unless a subkey has permissions that block propagation of inherited access rights). Note that this is not recommended and only used here as an example of a registry key modification.