Cacls: Displays and Modifies NTFS Access Control Lists

You can use Cacls to display or modify access control lists (ACLs) of files or folders. Table 3.14 follows the command format and describes the command options. The format of the command is:

CACLS filename  |  folder [ /t ] [ /e ] [ /c ] [ /guser:perm ] [ /ruser [...]]

[ /puser:perm [...]] [ /duser [...]]

Table   3.14 Cacls Options



file name or folder name

Displays ACLs.


Changes ACLs of specified files in the current folder and all subfolders.


Edits an ACL instead of replacing it.


Continues on access-denied errors.

/g user : perm

Grants a specified user access rights, where perm can be: R (Read) C (Change (write)) F (Full Control)

/r user

Revokes a specified user's access rights (only valid with /e ).

/p user : perm

Replaces a specified user's access rights, where perm can be: N (None) R (Read) C (Change (write)) F (Full Control)

/d user

Denies access to a specified user.

Wildcard characters can be used to specify more than one file in a command. You can also specify more than one user in a command.

If you already have permissions set for multiple users on a folder or file and do not use the /e option, all user permissions are removed except for the user and permissions specified on the command line. Use the following syntax when modifying user permissions to include read, change, and full control:

cacls filename  |  folder/e /rusername

cacls filename  |  folder/e /gusername:permission

cacls filename  |  folder/e /pusername:permission

The Cacls tool does not provide a /y option that answers automatically with Y to the ARE YOU SURE? Y/N prompt. However, you can use the echo command to pipe the character Y as input to the prompt when you are running Cacls in a batch file. Use the following syntax to automatically answer Y :

echo y|   caclsfilename  |  folder/gusername:permission



Do not enter a space between the Y and the pipe symbol ( | ). If you do, Cacls will not make the permission change.