How to Set File Permissions With the CACLS Commands

A VBScript CACLS Tutorial for Setting File PermissionsVBScript CACLS command ACL Access control lists

CACLS is a command-line program to make bulk changes to a folder’s permissions.  I would go so far as to say that it only makes sense to use CACLS in a VBScript.  Let us begin with a reminder of the manual, Windows Explorer method, for editing Access Control Lists (ACL).  If you right-click a folder and then select the Security tab you can examine and modify the NTFS permissions.

Topics for VBScript CACLS Command

This page gives you examples of CACLS scripts, if you need a quick refresher on the switches, chick out this CACLS Commands page.

 ♣

Our Mission and GoalVBSCRIPT CACLS example script

Our mission is to create home directories for users, then assign permissions with CACLS commands.  The typical structure on a file server would be a shared folder called home, then each user has their own folder as a sub-directory under home.

If you create users home folders with the Active Directory Users and Computers then you can invoke the %username% variable, which not only creates a folder named after the user, but also sets the permission to username full control.

The problem arises if you bulk create users with CSVDE or VBScript, in such cases I find that %username% does not work, so we need an alternative method to create the home folders and set the permissions – a job for CACLS.

As ever the secret of scripting is to build up in stages. 
Stage 1: Introduction to CACLS. Simple example to set folder permission to Administrators full control.
Stage 2: Create the users (sub) folders.  Assumption we have the usernames in a spreadsheet.
Stage 3: Set the permissions on each user’s folder to username: f and administrators: f.  (f= full control)

Stage 1: Introduction to CACLS CommandsCacls ACLCacls command Script

The purpose of this script is to set a folder’s permissions to Administrators = full control.  No one else has any permissions. The folder is called ‘user’, the path is \\server\home\user.

What the script does is mimic right-clicking a folder called ‘user’ and then setting the Security tab so that the only entry is Administrators full control.  Compare the diagrams before (left) and after (right) running the VBscript.

Prerequisites

You must have a server with a shared folder.  This is a script that will execute equally well on a Windows server or an XP machine.  Should you get permission errors, I recommend that you logon as administrator. 

Instructions for Creating your Cacls VBScript

  1. Copy and paste the example script below into notepad or a VBScript editor.
  2. Change the value for strHomeFolder, especially the server name.
  3. Save the file with a .vbs extension, for example: Cacls.vbs 
  4. Double click Cacls.vbs and check the permissions with Windows Explorer for strHomeFolder.

Sample Script to Set CACLS permissions

 

‘ Cacls.vbs
‘ Example VBScript to set Administrators permissions with Cacls
‘ Version 2.1 – September 2010
‘ ———————————————————‘
Option Explicit
Dim strHomeFolder, strHome, strUser
Dim intRunError, objShell, objFSO

strHomeFolder = "\\grand\home\user"

Set objShell = CreateObject("Wscript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FolderExists(strHomeFolder) Then
‘ Assign user permission to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
& strHomeFolder & " /t /c /g Administrators:F ", 2, True)
   If intRunError <> 0 Then
   Wscript.Echo "Error assigning permissions for user " _
   & strUser & " to home folder " & strHomeFolder
   End If
End If

WScript.Quit

‘ End of Cacls example VBScript

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

VBScript Tutorial – Learning Points

Note 1:  The heart of the script is:
cacls & strHomeFolder & " /t /c /g Administrators:F

strHomeFolder is the path we want to change the permissions.
/t means trash the existing permissions.  Remove all permissions and add those specified by /g.
/g Administrators:F Sets the new permissions for only Administrators with full control.
(/c  Tells the script to continue if there is an error).

You could add an ACL permission for the user with /g Administrators:F user:F.  However, to keep it simple we just added one entry in the above script.

Note 2: The rest of the script is VBScript.  We need to create a file object, objFSO.

Note 3: Cacls normally runs at the cmd prompt, therefore, the script creates a shell object objShell.  Run invokes comspec rather than cmd.exe.
objShell.Run("%COMSPEC% /c Echo Y. 

Note 4:  The cacls utility does not provide the /y option that answers automatically with Y for Yes to the ARE YOU SURE? Y/N prompt.  However, you can use the echo command to pipe the character Y as input to the prompt when you are running cacls in a batch file. Use the following syntax to automatically answer Y:

I thank Mathew D. for researching the above reason for the Cacls Echo Y switch.

Note 6: Finally, the script contains error-correcting code in case the folder does not exist.

 

How do the CACLS Switches work?

Here is a purely personal view of how to understand the CACLS syntax.  Begin by dividing the CACLS command into three parts thus:

CACLS  1) folder name   2) replace, edit or revoke entries   3) grant user permission

Example: cacls  c:\home   /t     /g guyt:F

1)cacls c:\home – this is the path to the folder whose permissions you wish to change.

2)/t – replace (with guyt’s permissions). Note, /t wipes out everyone else’s permissions.  An alternative would be /e meaning edit or append permissions.

3)/g guyt:f – Think of /g as standing for Grant.  In this instance, the command grants guyt full control.  An alternative would be :r (read). Note the colon: incidentally, with cacls there isn’t a comma in sight.

Summary of the CACLS Command

Cacls is a command-line utility, which manipulates folder and file permissions.  It is particularly suited to scripting, Cacls is ideal for bulk changes to folder permissions, for example users home folders.  If you want to a script which will actually create the users home folders, see here.

If you like this page then please share it with your friends

 


See Also

VBScript CACLS   • VBScript CACLS Excel  •VBScript to Create Folders

WMI Examples   • CACLS Commands   • PowerShell Set ACL

Free WMI Monitor  • WMI PowerShell  • Free SolarWinds Permissions Analyzer