CACLS- This command-line tool is to display or modify Access Control Lists (ACLs) for the files and folders.
CMD Line is a ** text-based interface** that transfers the command from the user to the OS.
The command-line interpreter (CLI) for windows is CMD.EXE. Also, you can use PowerShell which can automize many system administration tasks and these tasks are not approachable in command prompt. With the help of the CLI, you can communicate with your system by typing the text in commands. As a result, your system answers to the text that you have typed previously, and then the user can proceed with the next command line that shows up.
Run command window helps you to run programs, open the files and folders. And there are several ways to open up the run command dialog box. This run command box is useful for you to head straight to the destined program easily.
The shortcut key method to the run command box is the most commonly used one. Also, this method is in all versions of Windows. You need to press the **Windows+ R **key concurrently to open the Run command dialog box.
- You can also use the search box to open the Run command Windows.
- In the left corner of your desktop, you can see the search box near the Windows icon.
- In that box type run, a ** pop-up menu box ** appears in that select ** Run**.
- After you select the Run app in the pop-up menu, the Run dialog box appears on your screen.
- By using one of these methods, you can open the *Run * command Windows.
This command line is to display or modify Access Control Lists (ACLs) for the files and folders. This Microsoft Windows command-line tool is for displaying or does changes in the folders and files. ACL access control list is a list of approvals for folders that commands who can access the file or the folder. You can use icacls for Vista.
The ACL is applicable only to the stored files in the NTFS formatted drive. When a new file is formed, it usually obtains ACLs from the folder where it was created.
CACLS pathname [options]
- /T- Search the path name including all subfolders. (/TREE)
- /E- Edit ACL, leave existing rights unchanged (/EDIT)
- /C- Continue on access denied errors. (/CONTINUE)
- /L- Work on the Symbolic Link itself versus the target (/LINK)
/M- Change ACLs of volumes mounted to a directory (/MOUNT)
/G user: permission
- Grant access rights (/GRANT), permission can be:
- R – Read
- W – Write
- C – Change (read/write)
- F – Full control
- Revoke specified user’s access rights, only valid with /E. (/REVOKE)
- Replace access rights (/REPLACE), permission can be:
- R – Read
- W – Write
- C – Change (read/write)
- F – Full control
- N – None
- Deny access to user. (/DENY)
- Display the SDDL string for the DACL. (/SSDL) /S:sddl
- Replace the ACL(s) with those specified in the SDDL string (not valid with /E, /G, /R, /P, or /D).
- (The long /aliases in brackets are undocumented)
In all the options above, can be a UserName or a group (either local or global)
You can also specify more than one user:permission in a single command.
Wildcards can be used to specify multiple files.
If a UserName or Group name includes spaces then it must be surrounded with quotes, e.g., “Access Granted”
If no options are specified, CACLS will display the ACLs for the file(s)
In case if you are setting Deny permission (/D) that will deny access to a user even if they also belong to a group that grants access.
- Cacls cannot display or modify the ACL state of files locked in exclusive use.
- Cacls cannot set the following permissions: change permissions, take ownership, execute, delete use XCACLS to set any of these.
By using CACLS:
You can only use the “Y” character in the CACLS command using ECHO, To do the same use the following syntax.
ECHO Y| CACLS filename /g username:permission
- If you want to edit a file, you must have the “Change ” ACL.
- To use the CACLS command and modify an ACL needs “FULL Control”.
- File “Ownership” will always override all ACL’s – you always have Full Control over files that you create.
- If CACLS is used without the /E switch all existing rights on [pathname] will be replaced, any attempt to use the /E switch to change a [user:permission] that already exists will raise an error. To be sure the CACLS command will work without errors, use /E /R to remove ACL rights for the user concerned, then use /E to add the desired rights.
- The /T option will only traverse subfolders below the current directory.
In case if no options are specified, CACLS will display the current ACLs.
Code to display the current folder:
To display permissions for one file
To display permissions for multiple files:
Inherited folder permissions are shown as follows:
- OI – Object inherit: This folder and files. (no inheritance to subfolders)
- CI – Container inherit: This folder and subfolders.
- IO – Inherit only: ACE does not apply to the current file/directory
- ID – Inherited: ACE was inherited from the parent directory’s ACL.
These can be combined as follows:
- (OI)(CI)– This folder, subfolders, and files.
- (OI)(CI)(IO)– Subfolders and files only.
- (CI)(IO)– Subfolders only.
- (OI) (IO)– Files only.
Then the BUILTIN\Administrators:
- (OI)(CI)F signifies that both files and Subdirectories will inherit “f”.
- (CI)R means Directories will inherit ‘R’
To change the inheritance of a folder/directory use iCACLS /grant or iCACLs /deny
- When you grant a second permission to the same user/group on the same folder , NTFS will sometimes produce the error message “The parameter is incorrect”.
- To fix this, remove the permission first /e /r and then apply a fresh grant /e /g.
- No mapping between account names and security IDs was done.
- This error shows that cacls looked up the group or username given in Active Directory and didn’t find anything, often this means that you need to prefix the name with a domain name.
- ss64dom\user64 or (for a local account) the name of the machine pc64\localUser2 also check for errors.
To add Read-Only permission to a single file
CACLS myfile.txt /E /G "Power Users":R
To add Full Control permission to the second group of users
CACLS myfile.txt /E /G "FinanceUsers":F
Now revoke the Read permissions from the first group
CACLS myfile.txt /E /R "Power Users"
Now give the first group Full-control
CACLS myfile.txt /E /G "Power Users":F
To Give the Finance group Full Control of a folder and all subfolders
CACLS c:\docs\work /E /T /C /G "FinanceUsers":F
On a whole, we have seen a detailed explanation of the CACLS.exe command-line tool that displays or modifies Access Control Lists (ACLs) for the files and folders. If you have any queries, let us know in the comment section.
- CACLS In this article, we have given a detailed explanation of the CACLS command-line tool that modifies Access Control Lists for files.
- BROWSTAT In this article, we are going to discuss the BROWSTAT.exe command-line tool that is used to get a domain, browser, and PDC info.
- BOOTREC In this article, we have discussed the BOOTREC command-line tool, which works as a repair or replaces a partition boot sector.
- BCDEDIT In this article, we have discussed the BCDEDIT command-line tool that manages the Boot Configuration Data.
- Assoc In this article, we have discussed the Assoc command line that works to change file extension associations.