Introduction to CACLS – Modify Discretionary Access Control Lists
CACLS is a command-line program for changing a folder’s permissions. It is my view that CACLS is made for scripting. But first a reminder of the manual, GUI method for adjusting a folder’s Access Control Lists (ACL). If you right-click a folder and select the Security tab then you can examine or even modify the permissions (ACL).
On this page I will answer the other questions that you may be asking about CACLS. For example, where does CACLS come from? How do you use the CACLS switches?
Topics for CACLS (Modify Discretionary Access Control Lists)
- Where does CACLS come from?
- When would you need CACLS?
- How do the CACLS Switches work?
- What is the full list of CACLS switches?
- Setting CACLS for Multiple Users
- Killer use of CACLS
- Summary of CACLS
You can trace the history ofCACLS right back to Windows NT 3.5. These days CACLS is built-in to Windows 2003, XP and similar modern operating systems. Just create a cmd prompt session and type: cacls.
When would you call for CACLS? If you had the job of modifying lots of folder permissions then the normal Explorer GUI would be tedious.
For example, you need to reset permissions on User’s home folders to:
username: full control
administrators: full control
users: no entries.
If you think it through, setting ‘Deny everyone’, or even ‘Deny users’, may not be smart, a bit like shooting yourself in the foot.
Here is a purely personal view of how to understand the CACLS syntax. Begin by dividing the CACLS command into three parts thus:
CACLS 1) folder name 2) replace, edit or revoke entries 3) grant user permission
Example: cacls c:\home /t /g guyt:F
1)cacls c:\home – this is the path to the folder whose permissions you wish to change.
2)/t – replace (with guyt’s permissions). Note, /t wipes out everyone else’s permissions. An alternative would be /e meaning edit or append permissions.
3)/g guyt:f – Think of /g as standing for Grant. In this instance, the command grants guyt full control. An alternative would be :r (read). Note the colon: incidentally, with cacls there isn’t a comma in sight.
I like thePermissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user’s access to a resource. Give this permissions monitor a try – it’s free!
/t I think of the ‘t’ as meaning trash the original security permissions.
However, Roger R writes saying my view is a bit harsh, and you should think of /t as applying the permissions you are setting to the files and folder in the sub directory.
/e Think of the ‘e’ as CACLS inviting you to edit. Alternatively think of ‘e’ for append or correct one that went wrong.
/g This is the main switch, ‘g’ means grant; as in: grant me the permissions. This switch requires a user, followed by a colon and letter for the permission. Here are two examples:
/g guyt:f full control for guyt.
/g freddy:r read only for freddy.
/p Almost the same as /g. CACLS /p replaces where as /g appends.
/r Revokes, removes a named user from the Access Control List. Classic usage would be /r users.
/d ‘d’ stands for deny. Remember that if deny the users group the result is that nobody is able to see the files, so use /d sparingly.
/c ‘c’ is for continue. This switch works for CACLS like, ‘on error resume next’ works in VBScript. Adding /c says to CACLS, ‘Carry on despite an error’.
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
The purpose of this section is to examine how to incorporate CACLS in a VBScript, which sets multiple users. It took me 30 minutes to work out how to master this, when I finally cracked cacls syntax it was so simple. Let me begin with configuring cacls from the command line. Here is an example to set the permissions for three users, user1, user2 and admin6.
/g user1:f user2:r admin6:c. The pattern is one /g and then each user followed by a colon and the permission. My mistakes were multiple /g and multiple /t – wrong. Note again, no commas in sight.
If you have a problem then you could experiment with: domain\user instead of user1. Full example: /g domx\user:c
What gave me even more grief were groups with spaces "Domain Admin". You really need to pay attention to detail with names with spaces. Firstly, believe that CACLS can handle "Domain Admins", secondly pay attention to the speech marks.
From the command line it’s moderately tricky:
cacls /t /g "Domain Admins":c guyt:r
In a VBScript it seemed impossible, until I hit upon the double, double quotes. ""Domain Admins""
If objFSO.FolderExists(strHomeFolder) Then
‘ Assign user permission to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " & strHomeFolder _
& " /t /g ""Domain Admins"":c guyt:r", 2, True)
If intRunError <> 0 Then
Wscript.Echo "Error assigning permissions for user " _
& strUser & " to home folder " & strHomeFolder
This script is meant for those experienced with VBScript. See here for an Example of VBScript and CACLS
See more on the useful Solarwinds Free Permissions Analyzer.
A classic use of CACLS is to set permissions on users’ home directory. For those who like to provide file shares for their users there is a need to control the ACL permissions. This gets tedious where there are numerous subdirectories, each with different permissions. The solution is a VBScript with the appropriate CACLS commands. As ever, you could always issue the equivalent instructions, complete with switches, from the command prompt.
CACLS has a versatile set of command-line switches, which allow you automate setting folder permissions. Launch Explorer to check a folder’s Security tab, decide on the changes, then run CACLS form a cmd window. I find it useful to break down the CALS command in to three parts:
Folder to change, edit or replace, permissions to grant:
Example: cacls c:\home /t /g administrators: f
If you like this page then please share it with your friends