CACLS is a command-line program for changing a folder’s permissions. It is my view that CACLS is made for scripting. But first a reminder of the manual, GUI method for adjusting a folder’s Access Control Lists (ACL). If you right click a folder and select the Security tab then you can examine or even modify the permissions (ACL).
On this page I will answer the other questions that you may be asking about CACLS. For example, where does CACLS come from? How do you use the CACLS switches?
Topics for CACLS (Modify Discretionary Access Control Lists)
- Where does CACLS come from?
- When would you need CACLS?
- How do the CACLS Switches work?
- What is the full list of CACLS switches?
- Setting CACLS for Multiple Users
- Killer use of CACLS
- Summary of CACLS
You can trace the history of CACLS right back to Windows NT 3.5. These days CACLS is built-in to Windows 2003, XP and similar modern operating systems. Just create a cmd prompt session and type: cacls.
When would you need CACLS?
When would you call for CACLS? If you had the job of modifying lots of folder permissions then the normal Explorer GUI would be tedious.
For example, you need to reset permissions on User’s home folders to:
username: full control
administrators: full control
users: no entries.
If you think it through, setting ‘Deny everyone’, or even ‘Deny users’, may not be smart, a bit like shooting yourself in the foot.
How do the CACLS Switches work?
Here is a purely personal view of how to understand the CACLS syntax. Begin by dividing the CACLS command into three parts thus:
CACLS 1) folder name 2) replace, edit or revoke entries 3) grant user permission
Example: cacls c:\home /t /g guyt:F
1) cacls c:\home – this is the path to the folder whose permissions you wish to change.
2) /t – replace (with guyt’s permissions). Note, /t wipes out everyone else’s permissions. An alternative would be /e meaning edit or append permissions.
3) /g guyt:f – Think of /g as standing for Grant. In this instance, the command grants guyt full control. An alternative would be :r (read). Note the colon: incidentally, with cacls there isn’t a comma in sight.
What is the full list of CACLS switches?
/t Think of the ‘t’ as meaning trash the original security permissions.
/e Think of the ‘e’ as CACLS inviting you to edit. Alternatively think of ‘e’ for append or correct one that went wrong.
/g This is the main switch, ‘g’ means grant; as in: grant me the permissions. This switch requires a user, followed by a colon and letter for the permission. Here are two examples:
/g guyt:f full control for guyt.
/g freddy:r read only for freddy.
/p Almost the same as /g. CACLS /p replaces where as /g appends.
/r Revokes, removes a named user from the Access Control List. Classic usage would be /r users.
/d ‘d’ stands for deny. Remember that if deny the users group the result is that nobody is able to see the files, so use /d sparingly.
/c ‘c’ is for continued. This switch works for CACLS like, ‘on error resume next’ works in VBScript. Adding /c says to CACLS, ‘Carry on despite an error’.
