You are currently offline, waiting for your internet to reconnect

Undocumented CACLS: Group Permissions Capabilities

This article was previously published under Q162786
This article has been archived. It is offered "as is" and will no longer be updated.
CACLS is a Windows NT command-line utility that is used to display ormodify file or directory access control lists (ACLs). The online help filesfor CACLS do not mention that CACLS will add, modify, or delete grouppermissions, as well as user permissions, from NTFS ACLs.

CACLS can be used to modify the ACLs on files or directories. This abilityis often useful for adding or deleting a user or group permission withoutmodifying other existing permissions. The GUI in File Manager or Windows NTExplorer is currently limited to replacing the ACLs.

CACLS can also be used to change permissions for groups with namescontaining a space: when specifying such a group, it is necessary todelimit the name of the group with double quotes (for example, "groupname").

CACLS cannot be used to create "special" permissions. It is currentlylimited to the permissions No Access, Read, Change, and Full Control.

The "None" permission and the "Deny" parameter in CACLS are equivalent to"No Access" in the GUI. The "Revoke" parameter deletes an explicitpermission but does not prevent the use of permissions that a user mighthave through membership in other groups.

For additional information on automation using CACLS, please see thefollowing article in the Microsoft Knowledge Base:
ARTICLE-ID: 135268
TITLE : How to Use CACLS.EXE in a Batch File


Follow these steps to change the ACLs of all files and directories on driveC to allow full control for the Administrators local group:
  1. Open a command prompt.
  2. Type:

    cacls c:\ /t /e /g Administrators:f
Follow these steps to change the ACLs of all files in the C:\Temp directory(but not its subdirectories), to add the read permission for the DomainUsers global group and the Users local group, and to remove any explicitpermissions for the Everyone group:
  1. Open a command prompt.
  2. Type:

    cacls c:\temp\*.* /e /g "Domain Users":r Users:r /r Everyone
CACLS: Displays or modifies access control lists (ACLs) of files ordirectories.

cacls filename [/t] [/e] [/c] [/g user|group:perm] [/r user|group [...]]               [/p user|group:perm [...]] [/d user|group [...]]				

filename Displays ACLs of specified directory, file or files.   /t Changes ACLs of specified files in the current directory and all      subdirectories.   /e Edit ACL instead of replacing it.   /c Continue changing ACLs, ignoring errors.   /g user|group:perm Grant specified user or group access permissions.      perm can be:      r Read      c Change (write)      f Full control   /r user Revoke specified user's or group's access permissions.   /p user|group:perm Replace specified user's or group's access      permissions. perm can be:      n None      r Read      c Change (write)      f Full control   /d user|group Deny specified user access.				

You can specify more than one file, user, or group in a command. Wildcardcharacters in file and directory names are supported.

Group names containing a space need to be contained in double quotes, forexample "group name".

Article ID: 162786 - Last Review: 12/04/2015 16:15:16 - Revision: 2.1

Microsoft Windows NT Workstation 3.5, Microsoft Windows NT Workstation 3.51, Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT Server 3.5, Microsoft Windows NT Server 3.51, Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive kbhowto KB162786