how to use CACLS command
Display or modify Access Control Lists (ACLs) for files and folders. For Vista and greater use icacls.
Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.
Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.
Syntax
CACLS pathname [options]
Options:
/T Search the pathname including all subfolders.
/E Edit ACL (leave existing rights unchanged)
/C Continue on access denied errors.
/G user:permission
Grant access rights, permision can be:
R Read
W Write
C Change (read/write)
F Full control
N None
/R user
Revoke specified user's access rights (only valid with /E).
/P user:permission
Replace access rights, permission can be:
R Read
W Write
C Change (read/write)
F Full control
N None
/D user
Deny access to user.
/s:sddl
Replace the ACL(s) with those specified in the SDDL string •
(not valid with /e, /g, /r, /p, or /d).
In all the options above "user" can be a UserName or a group (either local or global)
• = Windows 7/2008 or above
You can specify more than one user:permission in a single command. Wildcards can be used to specify multiple files.
You can specify more than one user:permission in a single command. Wildcards can be used to specify multiple files.
If a UserName or WGname includes spaces then it must be surrounded with quotes e.g. "Authenticated Users"
If no options are specified CACLS will display the ACLs for the file(s)
If no options are specified CACLS will display the ACLs for the file(s)
Setting Deny permission (/D) will deny access to a user even if they also belong to a group that grants access.
Limitations
Cacls cannot display or modify the ACL state of files locked in exclusive use.
Cacls cannot set the following permissions: change permissions, take ownership, execute, delete use XCACLSto set any of these.
Using CACLS
Using CACLS
- The CACLS command does not provide a /Y switch to automatically answer 'Y' to the Y/N prompt. However, you can pipe the 'Y' character into the CACLS command using ECHO, use the following syntax:
ECHO Y| CACLS filename /g username:permission - To edit a file you must have the "Change" ACL (or be the file's owner)
- To use the CACLS command and change an ACL requires "FULL Control"
- File "Ownership" will always override all ACL's - you always have Full Control over files that you create.
- If CACLS is used without the /E switch all existing rights on [pathname] will be replaced, any attempt to use the /E switch to change a [user:permission] that already exists will raise an error. To be sure the CALCS command will work without errors use /E /R to remove ACL rights for the user concerned, then use /E to add the desired rights.
- The /T option will only traverse subfolders below the current directory
If no options are specified CACLS will display the current ACLs
e.g. To display the current folder
CACLS .
Display permissions for one file
CACLS MyFile.txt
Display permissions for multiple files
CACLS *.txt
Inherited folder permissions are displayed as:
e.g. To display the current folder
CACLS .
Display permissions for one file
CACLS MyFile.txt
Display permissions for multiple files
CACLS *.txt
Inherited folder permissions are displayed as:
OI - Object inherit - This folder and files. (no inheritance to subfolders)
CI - Container inherit - This folder and subfolders.
IO - Inherit only - The ACE does not apply to the current file/directory
These can be combined as folllows:
(OI)(CI) This folder, subfolders, and files.
(OI)(CI)(IO) Subfolders and files only.
(CI)(IO) Subfolders only.
(OI) (IO) Files only.
So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Fullcontrol)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)
To actually change the inheritance of a folder/directory use iCACLS /grant or iCACLs /deny
When cacls is applied to the current folder only there is no inheritance and so no output.
Errors when changing permissions
If a user or group has a permission on a file or folder and you grant a second permission to the same user/group on the same folder, NTFS will sometimes produce the error message "The parameter is incorrect" To fix this (or prevent it happening) revoke the permission first /e /r and then apply a fresh grant /e /g
No mapping between account names and security IDs was done
This error indicates that cacls looked up the group or username given in Active Directory and didn't find anything, often this means that you need to prefix the name with a domain name ss64dom\user64 or (for a local account) the name of the machinepc64\localUser2 also check for simple typos.
This error indicates that cacls looked up the group or username given in Active Directory and didn't find anything, often this means that you need to prefix the name with a domain name ss64dom\user64 or (for a local account) the name of the machinepc64\localUser2 also check for simple typos.
Examples:
Add Read-Only permission to a single file
CACLS myfile.txt /E /G "Power Users":R
Add Read-Only permission to a single file
CACLS myfile.txt /E /G "Power Users":R
Add Full Control permission to a second group of users
CACLS myfile.txt /E /G "FinanceUsers":F
CACLS myfile.txt /E /G "FinanceUsers":F
Now revoke the Read permissions from the first group
CACLS myfile.txt /E /R "Power Users"
Now give the first group Full-control:
CACLS myfile.txt /E /G "Power Users":F
CACLS myfile.txt /E /R "Power Users"
Now give the first group Full-control:
CACLS myfile.txt /E /G "Power Users":F
Give the Finance group Full Control of a folder and all sub folders
CACLS c:\docs\work /E /T /C /G "FinanceUsers":F
“It's easier to ask forgiveness than it is to get permission” ~ Rear Admiral Grace Hopper
CACLS c:\docs\work /E /T /C /G "FinanceUsers":F
“It's easier to ask forgiveness than it is to get permission” ~ Rear Admiral Grace Hopper
Comments
Post a Comment