Windows Server 2003 in a Nutshell
| cacls |
Displays or modifies access control lists (ACLs) of files and directories on NTFS volumes .
Syntax
cacls filename [/t] [/e] [/c] [/g username : perm ] [/r username [...] ] [/p username : perm [...] ] [/d username [...] ]
Options
- filename [filename...]
-
Displays ACLs of specified file(s)
- /t
-
Recursively applies changes to ACLs of specified files, starting from the current directory and extending to all subdirectories
- /e
-
Merges changes into an ACL instead of overwriting it
- /c
-
Ignores errors during the process of modifying an ACL
- /g username:perm
-
Grants username one of the following permissions:
- N
-
None
- R
-
Read
- C
-
Change (Write)
- F
-
Full Control
- /r username
-
Revokes all permissions for username
- /p username:perm
-
Replaces one of the following permissions for username :
- N
-
None
- R
-
Read
- C
-
Change (Write)
- F
-
Full Control
- /d username
-
Explicitly denies access to username
Examples
Display the ACL for the directory C:\WINDOWS :
cacls C:\WINDOWS C:\WINDOWS NT AUTHORITY\Authenticated Users:R NT AUTHORITY\Authenticated Users: (OI)(CI)(IO)(special access:) GENERIC_READ GENERIC_EXECUTE BUILTIN\Server Operators:C BUILTIN\Server Operators:(OI)(CI)(IO)C BUILTIN\Administrators:F BUILTIN\Administrators:(OI)(CI)(IO)F NT AUTHORITY\SYSTEM:F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F BUILTIN\Administrators:F CREATOR OWNER:(OI)(CI)(IO)F
Table 5-1 explains the various symbols used in the output of cacls .
Table 5-1. Symbols used in cacls command
| Symbol | Description |
|---|---|
| C | Container (directory) |
| O | Object (file) |
| I | Inherit (taking on the permissions of the parent directory) |
| OI | Object inherit (any files created in this directory inherit this ACL) |
| CI | Container inherit (any subdirectories created in this directory inherit this ACL) |
| IO | Inherit only (ACL doesn't apply to the directory, only to subdirectories) |
Notes
-
cacls can't be used to create special permissions, only standard permissions. In this sense it is less granular than the GUI.
-
You can specify more than one file or user in a command.
-
cacls can't be used to set permissions on the root of an NTFS volume that is mounted to a folder on a different NTFS volume.
-
To use cacls in a batch file, you need to provide a way to automatically answer prompts it may generate. Since calcs doesn't have a /y switch to do this, use the Echo command to pipe y as input in response to an "Are You Sure?" message that cacls might generate. To do this, use:
Echo y cacls filename /g username:perm
-
A practical use for cacls is to add the Administrators group automatically to the ACL for users' home directories. See Knowledge Base article Q180464 on Microsoft TechNet for several scripts for doing this.
See Also
Permissions