CACLS and XCACLS
CALCS is a command line utility for setting file permissions. CACLS is built into Windows NT. XCACLS is a similar, more powerful utility that ships with the Windows NT Resource Kit. XCACLS allows you to set permissions to the same granular level of control that you have with the GUI.
CACLS Syntax
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
XCACLS Syntax
XCACLS filename [/T] [/E] [/C] [/G user:perm;spec] [/R user [...]]
[/P user:perm;spec [...]] [/D user [...]] [/Y]
filename Displays ACLs.
/T Changes ACLs of specified files in the current directory
and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm;spec Grant specified user access rights.
Perm can be: R Read
C Change (write)
F Full control
P Change Permissions (Special access)
O Take Ownership (Special access)
X EXecute (Special access)
E REad (Special access)
W Write (Special access)
D Delete (Special access)
Spec can be the same as perm and will only be applied to a
directory. In this case, Perm will be used for file inheritence
in this directory. If not omitted: Spec=Perm. Special values
for Spec only:
T NoT Specified (for file inherit, only for dirs valid)
At least one access right has to follow!
Entries between ';' and T will be ignored!
/R user Revoke specified user's access rights.
/P user:perm;spec Replace specified user's access rights.
for access right specification see /G option
/D user Deny specified user access.
/Y Replace user's rights without verify
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
You can combine access rights.
A Sample CACLS script to lockdown the filesystem permissions on new servers:
cacls c:\ /g administrators:f system:f users:r
cacls c:\*.* /t /c /g administrators:f system:f users:r
cacls c:\temp /e /p users:c
xcacls c:\winnt /e /t /g users:ex;ewx "creator owner":c
xcacls c:\winnt\repair /e /r users "creator owner"
xcacls c:\winnt\system32 /e /g users:ex;ewx "creator owner":c
xcacls c:\winnt\system32\spool /e /g "creator owner":f
xcacls c:\winnt\cookies /e /g users:c
xcacls c:\winnt\forms /e /g users:c
xcacls c:\winnt\history /e /g users:c
xcacls c:\winnt\occache /e /g users:c
xcacls "c:\winnt\temporary internet files" /e /g users:c
xcacls "c:\program files\microsoft office\office" /e /g users:ewxd;ewx
xcacls "c:\program files\microsoft office\templates" /e /g users:ewxd;ewx
Website Design and Development by Gregg Branham
Last changed on Wednesday, April 21, 1999.