CACLS - CMD

Overview

The CACLS command in Windows CMD is used to display or modify Access Control Lists (ACLs) of files and directories. ACLs specify user or group permissions, such as read, write, or execute rights. CACLS is most effectively used for managing security settings via command line, and is useful in administrative scripts and during system setup or maintenance.

Syntax

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]
  • filename: Specifies the file or directory.
  • /T: Changes ACLs of specified files in the current directory and all subdirectories.
  • /E: Edit ACL instead of replacing it.
  • /C: Continue changing ACLs, ignoring errors.
  • /G user:perm: Grant specified user access permissions.
  • /R user: Revoke specified user’s access permissions.
  • /P user:perm: Replace specified user’s access permissions.
  • /D user: Deny specified user access.

Options/Flags

  • /T – Traverse all subfolders to modify ACLs.
  • /E – Edit the ACLs, instead of completely overwriting them.
  • /C – Continue on error. Errors encountered while changing ACLs will be ignored.
  • /G user:perm – Grants specified permissions to a user. Permissions include:
    • R – Read
    • W – Write
    • C – Change (write)
    • F – Full control
  • /R user – Revokes all access rights from the specified user.
  • /P user:perm – Set new access rights for the specified user.
  • /D user – Explicitly deny access to a specified user.

Examples

  1. Display ACLs for a file: 
    CACLS myfile.txt
  2. Grant full control to a user: 
    CACLS myfile.txt /E /G john:F
  3. Revoke all permissions from a user: 
    CACLS myfile.txt /E /R john
  4. Modify ACLs recursively: 
    CACLS myfolder /T /E /G john:F
  5. Deny write access to a user: 
    CACLS myfile.txt /E /D mark

Common Issues

  • Permission Errors: Users might encounter issues if they lack the necessary permissions to modify ACLs. Running CMD as Administrator can resolve this.
  • Syntax Mistakes: Misuse of command syntax, such as forgetting the /E flag when editing ACLs, can lead to replacing ACLs instead of modifying them. Always review your command before executing.

Integration

CACLS can be integrated with other commands and scripts for automating file permission setups:

FOR /D %d IN (C:\Users\*) DO CACLS "%d\Documents" /T /E /G user:F

This loop grants full control overt the Documents folders of every user on the system.

  • XCACLS – This version provides more options and flexibility than standard CACLS.
  • ICACLS – A newer tool that is recommended over CACLS for handling ACLs.

Refer to the official Microsoft documentation for more detailed information on CACLS and related commands.