Introduction to CACLS
- Modify Discretionary Access Control Lists
CACLS is a command-line program for changing a folder's permissions. It is my view that CACLS is made for scripting. But first a reminder of the manual, GUI method for adjusting a folder's Access Control Lists (ACL). If you right click a folder and select the Security tab
then you can examine or even modify the
permissions (ACL).
On this page I will answer the other questions that you may be asking about CACLS. For example,
where does CACLS come from? How do you use the CACLS switches?
Topics for CACLS
(Modify Discretionary Access Control Lists)
You can trace the history of
CACLS right back to Windows NT 3.5. These days CACLS is built-in to Windows 2003, XP and similar modern operating systems. Just create a cmd prompt session and
type: cacls.
Here is a purely personal view of how to understand the CACLS syntax. Begin by dividing the CACLS command into three parts thus:
CACLS 1) folder name 2) replace, edit or revoke entries 3) grant user permission
Example: cacls c:\home /t /g guyt:F
1)
cacls c:\home - this is the path to the folder whose permissions you wish to change.
2)
/t - replace (with guyt's permissions). Note, /t wipes out everyone else's permissions. An alternative would be /e meaning edit or append permissions.
3)
/g guyt:f - Think of /g as standing for Grant. In this instance, the command grants guyt full control. An alternative would be :r (read). Note the colon: incidentally, with cacls there isn't a comma in sight.
Guy
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
/t I think of the 't' as meaning trash the original security permissions.
However, Roger R writes saying my view is a bit harsh, and you should think
of /t as applying the permissions you are setting to the files and folder in
the sub directory.
/e Think of the 'e' as CACLS inviting you to edit. Alternatively think of 'e' for append or correct one that went wrong.
/g This is the main switch, 'g' means grant; as in: grant me the permissions. This switch requires a user, followed by a colon and letter for the permission. Here are two examples: /g guyt:f full control for guyt.
/g freddy:r read only
for freddy.
/p Almost the same as /g. CACLS /p replaces where as /g appends.
/r Revokes, removes a named user from the Access Control List. Classic usage would be /r users.
/d 'd' stands for deny. Remember that if deny the users group the result is that nobody is able to see the files, so use /d sparingly.
/c 'c' is for continue. This switch works for CACLS like, 'on error resume next' works in VBScript. Adding /c says to CACLS, 'Carry on despite an error'.
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
Solarwinds'
Orion performance monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its
second best feature is the ability to monitor the health of individual VMWare
virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you take advantage of Solarwinds' offer.
The purpose of this section is to examine how to incorporate CACLS in a VBScript, which sets multiple users.
It took me 30 minutes to work out how to master this, when I finally cracked cacls syntax it was so simple. Let me begin with configuring cacls from the command line. Here is an example to set the permissions for three users,
user1, user2 and admin6.
/g user1:f user2:r admin6:c. The pattern is one /g and then each user followed by a colon and the permission. My mistakes were multiple /g and multiple /t - wrong. Note again, no commas in
sight.
If you have a problem then you could experiment with: domain\user instead of user1. Full example: /g domx\user:c
What gave me even more grief were groups with spaces "Domain Admin". You really need to pay attention to detail with names with spaces. Firstly, believe that CACLS can handle "Domain
Admins", secondly pay attention to the speech marks.
From the command line it's moderately tricky: cacls /t /g "Domain Admins":c guyt:r
In a VBScript it seemed impossible, until I hit upon the double, double quotes. ""Domain Admins""
If objFSO.FolderExists(strHomeFolder) Then ' Assign user permission to home folder. intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " & strHomeFolder _ & " /t /g ""Domain Admins"":c guyt:r",
2, True) If intRunError <> 0 Then Wscript.Echo "Error assigning permissions for user " _ & strUser & " to home folder " & strHomeFolder End If
A classic use of CACLS is to set permissions on users' home directory. For those who like to provide file shares for their users there is a need to control the ACL permissions. This
gets tedious where there are numerous subdirectories, each with different permissions. The solution is a VBScript with the appropriate CACLS commands. As ever, you could always issue the equivalent
instructions, complete with switches, from the command prompt.
CACLS has a versatile set of command-line switches, which allow you automate setting folder permissions. Launch Explorer to check a folder's Security tab, decide on the changes, then run CACLS form a
cmd window. I find it useful to break down the CALS command in to three parts: Folder to change, edit or replace, permissions to grant: Example: cacls c:\home /t /g administrators: f
If you like this page then please share it with your friends
Guy Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages. NPM makes it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps. It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.
