cacls |
Displays or modifies access control lists (ACLs) of files and directories on NTFS volumes .
cacls filename [/t] [/e] [/c] [/g username : perm ] [/r username [...] ] [/p username : perm [...] ] [/d username [...] ]
Displays ACLs of specified file(s)
Recursively applies changes to ACLs of specified files, starting from the current directory and extending to all subdirectories
Merges changes into an ACL instead of overwriting it
Ignores errors during the process of modifying an ACL
Grants username one of the following permissions:
None
Read
Change (Write)
Full Control
Revokes all permissions for username
Replaces one of the following permissions for username :
None
Read
Change (Write)
Full Control
Explicitly denies access to username
Display the ACL for the directory C:\WINDOWS :
cacls C:\WINDOWS C:\WINDOWS NT AUTHORITY\Authenticated Users:R NT AUTHORITY\Authenticated Users: (OI)(CI)(IO)(special access:) GENERIC_READ GENERIC_EXECUTE BUILTIN\Server Operators:C BUILTIN\Server Operators:(OI)(CI)(IO)C BUILTIN\Administrators:F BUILTIN\Administrators:(OI)(CI)(IO)F NT AUTHORITY\SYSTEM:F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F BUILTIN\Administrators:F CREATOR OWNER:(OI)(CI)(IO)F
Table 5-1 explains the various symbols used in the output of cacls .
Symbol | Description |
---|---|
C | Container (directory) |
O | Object (file) |
I | Inherit (taking on the permissions of the parent directory) |
OI | Object inherit (any files created in this directory inherit this ACL) |
CI | Container inherit (any subdirectories created in this directory inherit this ACL) |
IO | Inherit only (ACL doesn't apply to the directory, only to subdirectories) |
cacls can't be used to create special permissions, only standard permissions. In this sense it is less granular than the GUI.
You can specify more than one file or user in a command.
cacls can't be used to set permissions on the root of an NTFS volume that is mounted to a folder on a different NTFS volume.
To use cacls in a batch file, you need to provide a way to automatically answer prompts it may generate. Since calcs doesn't have a /y switch to do this, use the Echo command to pipe y as input in response to an "Are You Sure?" message that cacls might generate. To do this, use:
Echo y cacls filename /g username:perm
A practical use for cacls is to add the Administrators group automatically to the ACL for users' home directories. See Knowledge Base article Q180464 on Microsoft TechNet for several scripts for doing this.
Permissions