CACLS.exe – Display or modify Access Control Lists (ACLs) for files and folders.


CACLS.exe (this command is deprecated, use ICACLS.EXE instead)

Display or modify Access Control Lists (ACLs) for files and folders.

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL’s from the folder where it was created.

Syntax
      CACLS pathname [options]

Key
   options can be any combination of:

   /T Search the pathname including all subfolders.
   /E Edit ACL (leave existing rights unchanged)
   /C Continue on access denied errors. 

   /G user:permission
      Grant access rights, permision can be:
         R Read
         W Write
         C Change (read/write)
         F Full control 

   /R user
      Revoke specified user's access rights (only valid with /E). 

   /P user:permission
      Replace access rights, permission can be:
         N None
         R Read
         W Write
         C Change (read/write)
         F Full control 

   /D user
      Deny access to user. 

   In all the options above "user" can be a UserName
   or a Workgroup (either local or global)

   If a UserName or WGname includes spaces then it must
   be surrounded with quotes e.g. "Authenticated Users"

   If no options are specified CACLS will display the ACLs for the file(s)

Other features to try

Wildcards can be used to specify multiple files.
You can specify more than one user:permission in a single command.
The /D option will deny access to a user even if they belong to a group that does have access.

Using CACLS

  • The CACLS command does not provide a /Y switch to automatically answer ‘Y’ to the Y/N prompt. However, you can pipe the ‘Y’ character into the CACLS command using ECHO, use the following syntax:

    ECHO Y| CACLS /g <username>:<permission>
  • To edit a file you must have the “Change” ACL (or be the file’s owner)
  • To use the CACLS command and change an ACL requires “FULL Control”
  • File “Ownership” will always override all ACL’s – you always have Full Control over files that you create.
  • If CACLS is used without the /E switch all existing rights on [pathname] will be replaced, any attempt to use the /E switch to change a [user:permission] that already exists will raise an error. To be sure the CALCS command will work without errors use /E /R to remove ACL rights for the user concerned, then use /E to add the desired rights.
  • The /T option will only traverse subfolders belowthe current directory.

If no options are specified CACLS will display the current ACLs
e.g. To display the current folder
CACLS .
Display permissions for one file
CACLS MyFile.txt
Display permissions for multiple files
CACLS *.txt

Inherited folder permissions are displayed as:

 OI - Object inherit    - This folder and files. (no inheritance to subfolders)
 CI - Container inherit - This folder and subfolders.
 IO - Inherit only      - The ACE does not apply to the current file/directory

These can be combined as folllows:
 (OI)(CI)	    This folder, subfolders, and files.
 (OI)(CI)(IO)	Subfolders and files only.
     (CI)(IO)  Subfolders only.
 (OI)    (IO)	Files only.

So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit ‘F’ (Fullcontrol)
similarly (CI)R means Directories will inherit ‘R’ (
Read folders only = List permission)

When cacls is applied to the current folder only there is no inheritance and so no output.

Errors when changing permissions

If a user or group has a permission on a file or folder and you grant a second permission to the same user/group on the same folder, NTFS will sometimes produce the error message “The parameter is incorrect” To fix this (or prevent it happening) revoke the permission first (/e /r) and then reapply (/e /g)

Examples:

Add Read-Only permission to a single file
CACLS myfile.txt /E /G “Power Users”:R

Add Full Control permission to a second group of users
CACLS myfile.txt /E /G “FinanceUsers”:F

Now revoke the Read permissions from the first group
CACLS myfile.txt /E /R “Power Users”

Now give the first group Full-control:
CACLS myfile.txt /E /G “Power Users”:F

Give the Finance group Full Control of a folder and all sub folders
CACLS c:\docs\work /E /T /C /G “FinanceUsers”:F

“Whether a pretty woman grants or withholds her favours, she always likes to be asked for them” – Ovid (Ars Amatoria)

Related:

ATTRIB – Display or change file attributes
AccessEnum – GUI to browse a tree view of user privs
DIR /Q – Display the owner for a list of files (try it for Program files)
PERMS – Show permissions for a user
FIXACLS – Restore default privs (Resource Kit supplement 2)
FSUTIL – File System Options
NTRIGHTS – Edit user account rights
SHOWACL – Show file Access Control Lists (Windows 2000)
TAKEOWN – Take ownership of shares
XCACLS – Display or modify Access Control Lists (ACLs) for files and folders
Q237701 – Cacls cannot apply security to root
Q834721 – Permissions on Folder are incorrectly ordered
Q135268 – How to use CACLS.EXE in a Batch File
Q245031 – Error when using the | pipe symbol
NT Permissions explained

ACL utils: SetACL or FileACL (free)

Equivalent Linux BASH commands:

chmod – Change access permissions
chown – Change file owner and group

source:

http://www.ss64.com/nt/cacls.html

ICACLS.EXE

c:\windows\* /save AclFile /T

- Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.

icacls c:\windows\ /restore AclFile

- Will restore the Acls for every file within AclFile that exists in c:\windows and its subdirectories

icacls file /grant Administrator:(D,WDAC)

- Will grant the user Administrator Delete and Write DAC permissions to file

icacls file /grant *S-1-1-0:(D,WDAC)

- Will grant the user (or security group) defined by sid S-1-1-0 Delete and Write DAC permissions to file

icacls c:\windows\explorer.exe

- View the discretionary access list and integrity level

icacls file /setintegritylevel H

- Modify mandatory integrity level of an object to High

About these ads

13 thoughts on “CACLS.exe – Display or modify Access Control Lists (ACLs) for files and folders.

  1. Pingback: Auditing Folder (and subfolder) Permissions using CACLS at Information Systems Auditing

    • Is there a possibility to configure auditing for a specified folder using icacls?
      I’m not talking about GPOs, just enabling auditing from advanced security settings for a folder.
      Thank you in advance for your reply :P

  2. Hi all, here every person is sharing these know-how, so it’s nice to read this website, and I used to pay a quick visit this blog all the time.

  3. I know this if off topic but I’m looking into starting my own blog and was curious what all is needed to get set up? I’m assuming having a
    blog like yours would cost a pretty penny? I’m not very internet savvy so I’m not 100% certain.
    Any tips or advice would be greatly appreciated. Many thanks

  4. I know this if off topic but I’m looking into starting my own blog and was curious what all is needed to get set up? I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very internet savvy so I’m not 100% certain.
    Any tips or advice would be greatly appreciated.

    Many thanks

  5. We are a group of volunteers and opening a new scheme in
    our community. Your website provided us with useful
    info to work on. You have performed a formidable process
    and our entire neighborhood can be grateful to you.

  6. With havin so much content and articles do you ever run into any problems of plagorism
    or copyright infringement? My website has a lot of exclusive content I’ve either created myself or outsourced butt it appears a lot of it is popping it up all over
    the web without my agreement. Do you know any
    techniques to help protect against content from being stolen?
    I’d definitely appreciate it.

  7. Oh my goodness! Awesome article dude! Thank you, However I am
    experiencing problems with your RSS. I don’t know
    why I am unable to subscribe to it. Is there anyone else having similar RSS
    problems? Anyone who knows the solution will you kindly respond?
    Thanks!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s