Undocumented CACLS: Group Permissions Capabilities

 Last reviewed: August 4, 1997
Article ID: Q162786
The information in this article applies to:
  • Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
  • Microsoft Windows NT Server versions 3.5, 3.51, and 4.0

SUMMARY

CACLS is a Windows NT command-line utility that is used to display or modify file or directory access control lists (ACLs). The online help files for CACLS do not mention that CACLS will add, modify, or delete group permissions, as well as user permissions, from NTFS ACLs.

CACLS can be used to modify the ACLs on files or directories. This ability is often useful for adding or deleting a user or group permission without modifying other existing permissions. The GUI in File Manager or Windows NT Explorer is currently limited to replacing the ACLs.

CACLS can also be used to change permissions for groups with names containing a space: when specifying such a group, it is necessary to delimit the name of the group with double quotes (for example, "group name").

CACLS cannot be used to create "special" permissions. It is currently limited to the permissions No Access, Read, Change, and Full Control.

The "None" permission and the "Deny" parameter in CACLS are equivalent to "No Access" in the GUI. The "Revoke" parameter deletes an explicit permission but does not prevent the use of permissions that a user might have through membership in other groups.

For additional information on automation using CACLS, please see the following article in the Microsoft Knowledge Base: 

   ARTICLE-ID: Q135268
   TITLE     : How to Use CACLS.EXE in a Batch File

Examples

Follow these steps to change the ACLs of all files and directories on drive C to allow full control for the Administrators local group:

  1. Open a command prompt.

  2. Type: 

          cacls c:\ /t /e /g Administrators:f

Follow these steps to change the ACLs of all files in the C:\Temp directory (but not its subdirectories), to add the read permission for the Domain Users global group and the Users local group, and to remove any explicit permissions for the Everyone group:

  1. Open a command prompt.

  2. Type: 

          cacls c:\temp\*.* /e /g "Domain Users":r Users:r /r Everyone

MORE INFORMATION

CACLS: Displays or modifies access control lists (ACLs) of files or directories.

Usage:

cacls filename [/t] [/e] [/c] [/g user|group:perm] [/r user|group [...]] 

               [/p user|group:perm [...]] [/d user|group [...]]
Parameters:

filename Displays ACLs of specified directory, file or files. 

   /t Changes ACLs of specified files in the current directory and all
      subdirectories.

   /e Edit ACL instead of replacing it.

   /c Continue changing ACLs, ignoring errors.

   /g user|group:perm Grant specified user or group access permissions.
      perm can be:

      r Read
      c Change (write)
      f Full control

   /r user Revoke specified user's or group's access permissions.

   /p user|group:perm Replace specified user's or group's access
      permissions. perm can be:

      n None
      r Read
      c Change (write)
      f Full control

   /d user|group Deny specified user access.
You can specify more than one file, user, or group in a command. Wildcard characters in file and directory names are supported.

Group names containing a space need to be contained in double quotes, for example "group name".

Additional query words: security
Keywords : ntsecurity NTSrvWkst ntutil kbtool
Version : WinNT:3.5,3.51,4.0
Platform : winnt
Hardware : x86
Issue type : kbhowto

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: August 4, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.