CACLS

Deprecated command : use ICACLSICACLS instead.

(from Change Access Control Lists)

Displays or edits file access control lists (ACLs).

CACLS filename [/T] [/M] [/L] [/S[:sddl]] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

Where:

• filename - Name of the file to show or edit ACLs for.
• /T - Changes the ACLs of the specified files in the current directory and all its subdirectories.
• /M - Edits the ACLs of volumes mounted on a directory.
• /L - Processes the symbolic link's ACL instead of the target's.
• /S[:sddl] - Replaces the ACLs with those specified in the sddl string (not valid with /E, /G, /R, /P, or /D). If no string is specified, displays the SDDL string for the DACL (discretionary access control list).
• /E - Edit ACL instead of replacing it.
• /C - Continues ignoring access denied errors.
• /G user:perm - Assigns the access rights of the specified user. perm must be replaced by:
  • R - Read;
  • W - Write;
  • C - Modify (write);
  • F - Complete control.
• /R user - Revokes the access rights of the specified user (valid only with /E).
• /P user:perm - Replaces the access rights of the specified user. perm must be replaced by:
  • N - No right;
  • R - Read;
  • W - Write;
  • C - Modify (write);
  • F - Complete control.
• /D user - Denies access to the specified user.

Examples:

1. Deny access to file C:\Silly things.doc to user Mark White:

cacls "C:\Silly things.doc" /d Mark White

 

2. Revoke access rights to the C:\Program Files\sgs.exe file from the user uwbueg:

cacls "C:\Programmi\sgs.exe" /r uwbueg

 

3. Display ACLs for file C:\Duck.flac:

cacls "C:\Duck.flac"

 

4. Display the SDDL string for the command prompt DACL:

cacls C:\WINDOWS\system32\cmd.exe /s

 

Further information:

You can quickly find your username from the USERNAME environment variable (see ECHOECHO):

echo %username%