CACLS displays or changes access control lists ( ACLs ) of Windows NT files on
NTFS partitions. Windows NT security manager uses the ACLs by:
- Checking for any specified No Access for the user or
any groups the user is a member of. If No Access is found, the user is denied
access.
- Checking for any specific granting of access based on the service requested
for the user and any groups the user is a member of. If access such as Grant is
found, the user is granted access. The users rights are the cumulative rights
granted to the user’s account and the user’s groups.
- If neither a specific No Access nor service permission is found, the default
of No Access applies. Therefore, the user is denied access.
If you have the Windows Resource Kit it includes an enhanced version named XCACLS which takes the same parameters and has additional
capabilities. If you have a few bucks, and its well worth the price,
www.trustedsystems.com offers SuperCACLs which has
superior features to the Microsoft utilities. Its a maxim but true, you get what
you pay for. If you do not have the resource kit, cacls comes with Windows NT.
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user
[…]] [/P user:perm […]] [/D user […]]
where
/T Changes ACLs of specified files in the current
directory and subdirectories
/E Edit ACL instead of
replacing it
/C Continue (ignore) access denied
errors
/G user : perm where access rights granted
can be: R C F (read, change, full control)
/R user
Revoke specified user’s access rights (only valid with /E)
/P user : perm Replace specified user’s access rights.
Permission can be: N R C F (none, read, change, ful control)
/D user Deny specified user access.
You simply can not beat this kind of commandline utility for automating
changes which are simply too labor intensive using the GUI tools. SYSTEM should
have access to all of NTFS. You can reapply this by running at root of drive:
CACLS * /e /t /g SYSTEM:F
where the /e switch tells the CACLS utility to EDIT the ACLs rather
than REPLACE the existing permissions, and the /t switch tells it to apply the
edit to subdirectories.
If you run CACLS and see the message:
Unable to perform a security operation on an object which has
no associated security
you are running on a FAT partition. ACLs are only used on NTFS partitions.
To grant user wmaples full control over myfile.txt:
cacls c:\myfile.txt /G wmaples:F
All other previously defined permissions will be deleted. If you don’t
want to remove previously defined permissions, add the /E switch:
cacls c:\myfile.txt /E /G wmaples:F
Adds user wmaples to the security permissions of the file, but other
permissions are left unchanged. To use Cacls.exe in batch files you need to
handle the Are you Sure? prompt. If you try to replace all the security
permissions for a file without using the /E switch, Cacls.exe will display the
Are You Sure? (Y/N) prompt. To successfully script this in a batch file,
you’ll have to run the command as:
echo y| cacls c:\myfile.txt /G wmaples:F
Note the echo y| in front of the
command: Make sure you don’t put a space between | and y.
To get the listing of all parameters, run:
cacls /?
