Use CACLS Windows NT utility to edit or display file permissions

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

CACLS displays or changes access control lists ( ACLs ) of Windows NT files on NTFS partitions. Windows NT security manager uses the ACLs by:
  • Checking for any specified No Access for the user or any groups the user is a member of. If No Access is found, the user is denied access.
  • Checking for any specific granting of access based on the service requested for the user and any groups the user is a member of. If access such as Grant is found, the user is granted access. The users rights are the cumulative rights granted to the user's account and the user's groups.
  • If neither a specific No Access nor service permission is found, the default of No Access applies. Therefore, the user is denied access.

If you have the Windows Resource Kit it includes an enhanced version named XCACLS which takes the same parameters and has additional capabilities. If you have a few bucks, and its well worth the price, www.trustedsystems.com offers SuperCACLs which has superior features to the Microsoft utilities. Its a maxim but true, you get what you pay for. If you do not have the resource kit, cacls comes with Windows NT.

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

where

/T Changes ACLs of specified files in the current directory and subdirectories
/E Edit ACL instead of replacing it
/C Continue (ignore) access denied errors
/G user : perm where access rights granted can be: R C F (read, change, full control)
/R user Revoke specified user's access rights (only valid with /E)
/P user : perm Replace specified user's access rights. Permission can be: N R C F (none, read, change, ful control)
/D user Deny specified user access.

You simply can not beat this kind of commandline utility for automating changes which are simply too labor intensive using the GUI tools. SYSTEM should have access to all of NTFS. You can reapply this by running at root of drive:

CACLS * /e /t /g SYSTEM:F

where the /e switch tells the CACLS utility to EDIT the ACLs rather than REPLACE the existing permissions, and the /t switch tells it to apply the edit to subdirectories.

If you run CACLS and see the message:

Unable to perform a security operation on an object which has no associated security

you are running on a FAT partition. ACLs are only used on NTFS partitions.

To grant user wmaples full control over myfile.txt:

cacls c:\myfile.txt /G wmaples:F

All other previously defined permissions will be deleted. If you don't want to remove previously defined permissions, add the /E switch:

cacls c:\myfile.txt /E /G wmaples:F

Adds user wmaples to the security permissions of the file, but other permissions are left unchanged. To use Cacls.exe in batch files you need to handle the Are you Sure? prompt. If you try to replace all the security permissions for a file without using the /E switch, Cacls.exe will display the Are You Sure? (Y/N) prompt. To successfully script this in a batch file, you'll have to run the command as:

echo y| cacls c:\myfile.txt /G wmaples:F

Note the echo y| in front of the command: Make sure you don't put a space between | and y.

To get the listing of all parameters, run:

cacls /?

Featured Links