CACLS.exe

Display or modify Access Control Lists (ACLs) for files and folders.

This command has been deprecated, use icacls instead.

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.

Syntax
      CACLS pathname [options]

Options:

   /T   Search the pathname including all subfolders. (/TREE)
   /E   Edit ACL, leave existing rights unchanged (/EDIT)
   /C   Continue on access denied errors. (/CONTINUE)
   /L   Work on the Symbolic Link itself versus the target (/LINK)
   /M   Change ACLs of volumes mounted to a directory (/MOUNT)

   /G user:permission
        Grant access rights (/GRANT), permision can be:
          R  Read 
          W  Write
          C  Change (read/write) 
          F  Full control

   /R user
        Revoke specified user's access rights, only valid with /E. (/REVOKE)

   /P user:permission
        Replace access rights (/REPLACE), permission can be: 
          R  Read
          W  Write
          C  Change (read/write) 
          F  Full control
          N  None

   /D user
        Deny access to user. (/DENY)

   /S
        Display the SDDL string for the DACL. (/SSDL)
   /S:sddl
        Replace the ACL(s) with those specified in the SDDL string
        (not valid with /E, /G, /R, /P, or /D).

   (The long /aliases in brackets are undocumented)

In all the options above "user" can be a UserName or a group (either local or global)

You can specify more than one user:permission in a single command.

Wildcards can be used to specify multiple files.

If a UserName or GroupName includes spaces then it must be surrounded with quotes e.g. "Authenticated Users"

If no options are specified CACLS will display the ACLs for the file(s)

Setting Deny permission (/D) will deny access to a user even if they also belong to a group that grants access.

Limitations

If the file/folder is currently open (locked) it may not be possible to change the permissions without first closing the file locks. This can be done in Computer Management ➞ Shared Folders ➞ Open files.

Cacls cannot set the following permissions: Change permissions, Take ownership, Execute, Delete, use XCACLS to set any of these.

Using CACLS

If no options are specified CACLS will display the current ACLs
To display the current folder:
CACLS .

Display permissions for one file:
CACLS MyFile.txt

Display permissions for multiple files:
CACLS *.txt

Inherited folder permissions are displayed as:

 OI - Object inherit    - This folder and files. (no inheritance to subfolders)
 CI - Container inherit - This folder and subfolders.
 IO - Inherit only      - The ACE does not apply to the current file/directory
 ID - Inherited         - The ACE was inherited from the parent directory's ACL.

These can be combined as follows:
 (OI)(CI)      This folder, subfolders, and files.
 (OI)(CI)(IO)  Subfolders and files only.
     (CI)(IO)  Subfolders only.
 (OI)    (IO)  Files only. 

So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Fullcontrol)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)

To actually change the inheritance of a folder/directory use iCACLS /grant or iCACLs /deny

When cacls is applied to the current folder only there is no inheritance and so no output.

Errors when changing permissions

If a user or group has a permission on a file or folder and you grant a second permission to the same user/group on the same folder, NTFS will sometimes produce the error message "The parameter is incorrect" To fix this (or prevent it happening) revoke the permission first /e /r and then apply a fresh grant /e /g

No mapping between account names and security IDs was done
This error indicates that cacls looked up the group or username given in Active Directory and didn’t find anything, often this means that you need to prefix the name with a domain name ss64dom\user64 or (for a local account) the name of the machine pc64\localUser2 also check for simple typos.

Examples

Add Read-Only permission to a single file:

CACLS myfile.txt /E /G "Power Users":R

Add Full Control permission to a second group of users:

CACLS myfile.txt /E /G "FinanceUsers":F

Now revoke the Read permissions from the first group:

CACLS myfile.txt /E /R "Power Users"

Now give the first group Full-control:

CACLS myfile.txt /E /G "Power Users":F

Give the Finance group Full Control of a folder and all sub folders:

CACLS c:\docs\work /E /T /C /G "FinanceUsers":F

“It's easier to ask forgiveness than it is to get permission” ~ Rear Admiral Grace Hopper

Related commands

ATTRIB - Display or change file attributes.
iCACLS - Change file and folder permissions (ACLs).
XCACLS - Change file and folder permissions (ACLs).
DIR /Q - Display the owner for a list of files (try it for Program files).
PERMS - Show permissions for a user.
FSUTIL - File System Options.
NTRIGHTS - Edit user account rights.
SetObjectSecurity - Set security for an object (file, directory, reg key etc).
TAKEOWN - Take ownership of files.
AccessEnum - GUI to browse a tree view of user privs.
Q271876 - Complex ACLs impair directory service performance.
Permissions explained.
PowerShell equivalent: Get-Acl / Set-Acl - Set permissions.
Equivalent bash command (Linux): chmod - Change access permissions.


 
Copyright © 1999-2024 SS64.com
Some rights reserved