DEV Community

Victor James
Victor James

Posted on • Originally published at windowscmd.com on

CACLS

CACLS- This command-line tool is to display or modify Access Control Lists (ACLs) for the files and folders.

CMD Line

CMD Line is a ** text-based interface** that transfers the command from the user to the OS.

CLI-Command Line Interpreter

The command-line interpreter (CLI) for windows is CMD.EXE. Also, you can use PowerShell which can automize many system administration tasks and these tasks are not approachable in command prompt. With the help of the CLI, you can communicate with your system by typing the text in commands. As a result, your system answers to the text that you have typed previously, and then the user can proceed with the next command line that shows up.

Ways to open the Run command Window

Run command window helps you to run programs, open the files and folders. And there are several ways to open up the run command dialog box. This run command box is useful for you to head straight to the destined program easily.

Way 1: By using the Keyboard shortcut Key:

WINDOWS+R

The shortcut key method to the run command box is the most commonly used one. Also, this method is in all versions of Windows. You need to press the **Windows+ R **key concurrently to open the Run command dialog box.

Run command box
Run command box

Way 2: Using the search box:

  • You can also use the search box to open the Run command Windows.
  • In the left corner of your desktop, you can see the search box near the Windows icon.

Search bar
Search bar

  • In that box type run, a ** pop-up menu box ** appears in that select ** Run**.

Search box
Search box

  • After you select the Run app in the pop-up menu, the Run dialog box appears on your screen.

Run command box
Run command box

  • By using one of these methods, you can open the *Run * command Windows.

What does CACLS command does?

This command line is to display or modify Access Control Lists (ACLs) for the files and folders. This Microsoft Windows command-line tool is for displaying or does changes in the folders and files. ACL access control list is a list of approvals for folders that commands who can access the file or the folder. You can use icacls for Vista.

The ACL is applicable only to the stored files in the NTFS formatted drive. When a new file is formed, it usually obtains ACLs from the folder where it was created.

Syntax:


 CACLS pathname [options]

Enter fullscreen mode Exit fullscreen mode

Options that are available:

  • /T- Search the path name including all subfolders. (/TREE)
  • /E- Edit ACL, leave existing rights unchanged (/EDIT)
  • /C- Continue on access denied errors. (/CONTINUE)
  • /L- Work on the Symbolic Link itself versus the target (/LINK)
  • /M- Change ACLs of volumes mounted to a directory (/MOUNT)

  • /G user: permission

    • Grant access rights (/GRANT), permission can be:
    • R – Read
    • W – Write
    • C – Change (read/write)
    • F – Full control
  • /R user

    • Revoke specified user’s access rights, only valid with /E. (/REVOKE)
  • /P user:permission

    • Replace access rights (/REPLACE), permission can be:
    • R – Read
    • W – Write
    • C – Change (read/write)
    • F – Full control
    • N – None
  • /D user

    • Deny access to user. (/DENY)
  • /S

    • Display the SDDL string for the DACL. (/SSDL) /S:sddl
    • Replace the ACL(s) with those specified in the SDDL string (not valid with /E, /G, /R, /P, or /D).
    • (The long /aliases in brackets are undocumented)
  • In all the options above, can be a UserName or a group (either local or global)

  • You can also specify more than one user:permission in a single command.

  • Wildcards can be used to specify multiple files.

  • If a UserName or Group name includes spaces then it must be surrounded with quotes, e.g., “Access Granted”

  • If no options are specified, CACLS will display the ACLs for the file(s)

  • In case if you are setting Deny permission (/D) that will deny access to a user even if they also belong to a group that grants access.

Restrictions:

  • Cacls cannot display or modify the ACL state of files locked in exclusive use.
  • Cacls cannot set the following permissions: change permissions, take ownership, execute, delete use XCACLS to set any of these.

By using CACLS:

You can only use the “Y” character in the CACLS command using ECHO, To do the same use the following syntax.


ECHO Y| CACLS filename /g username:permission

Enter fullscreen mode Exit fullscreen mode
  • If you want to edit a file, you must have the “ChangeACL.
  • To use the CACLS command and modify an ACL needs “FULL Control”.
  • File “Ownership” will always override all ACL’s – you always have Full Control over files that you create.
  • If CACLS is used without the /E switch all existing rights on [pathname] will be replaced, any attempt to use the /E switch to change a [user:permission] that already exists will raise an error. To be sure the CACLS command will work without errors, use /E /R to remove ACL rights for the user concerned, then use /E to add the desired rights.
  • The /T option will only traverse subfolders below the current directory.

In case if no options are specified, CACLS will display the current ACLs.

Codes:

Code to display the current folder:


CACLS .

Enter fullscreen mode Exit fullscreen mode

To display permissions for one file


CACLS MyFile.txt

Enter fullscreen mode Exit fullscreen mode

To display permissions for multiple files:


CACLS *.txt

Enter fullscreen mode Exit fullscreen mode

Inherited folder permissions are shown as follows:

  • OI – Object inherit: This folder and files. (no inheritance to subfolders)
  • CI – Container inherit: This folder and subfolders.
  • IO – Inherit only: ACE does not apply to the current file/directory
  • ID – Inherited: ACE was inherited from the parent directory’s ACL.

These can be combined as follows:

  • (OI)(CI)– This folder, subfolders, and files.
  • (OI)(CI)(IO)– Subfolders and files only.
  • (CI)(IO)– Subfolders only.
  • (OI) (IO)– Files only.

Then the BUILTIN\Administrators:

  • (OI)(CI)F signifies that both files and Subdirectories will inherit “f”.
  • (CI)R means Directories will inherit ‘R’

To change the inheritance of a folder/directory use iCACLS /grant or iCACLs /deny

Errors that occur when changing permissions:

  • When you grant a second permission to the same user/group on the same folder , NTFS will sometimes produce the error message “The parameter is incorrect”.
    • To fix this, remove the permission first /e /r and then apply a fresh grant /e /g.
  • No mapping between account names and security IDs was done.
  • This error shows that cacls looked up the group or username given in Active Directory and didn’t find anything, often this means that you need to prefix the name with a domain name.
    • ss64dom\user64 or (for a local account) the name of the machine pc64\localUser2 also check for errors.

Examples:

To add Read-Only permission to a single file


CACLS myfile.txt /E /G "Power Users":R

Enter fullscreen mode Exit fullscreen mode

To add Full Control permission to the second group of users


CACLS myfile.txt /E /G "FinanceUsers":F

Enter fullscreen mode Exit fullscreen mode

Now revoke the Read permissions from the first group


CACLS myfile.txt /E /R "Power Users"

Enter fullscreen mode Exit fullscreen mode

Now give the first group Full-control


CACLS myfile.txt /E /G "Power Users":F

Enter fullscreen mode Exit fullscreen mode

To Give the Finance group Full Control of a folder and all subfolders


CACLS c:\docs\work /E /T /C /G "FinanceUsers":F

Enter fullscreen mode Exit fullscreen mode

Verdict:

On a whole, we have seen a detailed explanation of the CACLS.exe command-line tool that displays or modifies Access Control Lists (ACLs) for the files and folders. If you have any queries, let us know in the comment section.

Read Further:

  • CACLS In this article, we have given a detailed explanation of the CACLS command-line tool that modifies Access Control Lists for files.
  • BROWSTAT In this article, we are going to discuss the BROWSTAT.exe command-line tool that is used to get a domain, browser, and PDC info.
  • BOOTREC In this article, we have discussed the BOOTREC command-line tool, which works as a repair or replaces a partition boot sector.
  • BCDEDIT In this article, we have discussed the BCDEDIT command-line tool that manages the Boot Configuration Data.
  • Assoc In this article, we have discussed the Assoc command line that works to change file extension associations.

The post CACLS appeared first on Windows Commands- SS64 Commands.

Discussion (0)