cacls

This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. Please help improve this article by introducing more precise citations. (February 2008) (Learn how and when to remove this message)

cacls (Change Access Control Lists) is a command in Microsoft Windows to change Access Control List (ACL) permissions on a directory, its subcontents, or files. An access control list is a list of permissions for a file or directory that controls who can access it.

cacls FileName [/t] [/e] [/c] [/g User:permission] [/r User [...]] [/p User:permission [...]] [/d User [...]]

/t : Changes DACLs of specified files in the current directory and all subdirectories.

/e : Edits a DACL instead of replacing it.

/c : Continues to change DACLs, ignoring errors.

/g User:permission : Grants access rights to the specified user.

/r User : Revokes access rights for the specified user.

/p User:permission : Replaces access rights for the specified user.

/d User : Denies access for the specified user.

/? : Displays help at the command prompt.

The cacls utility is considered an underpowered editor of permissions in Windows 2000 and later, lacking the ability to edit many of the specific settings available such as inherited ACEs. Microsoft has responded with newer utilities as xcacls.exe, xcacls.vbs, fileacl and icacls (Windows Vista), all of which offer improvements, but are still considered underpowered and in some case, potentially disruptive. Others^[who?] have produced their own command-line and scriptable permissions editors.

The documentation of a third-party free open-source replacement for cacls hosted on SourceForge, known as SetACL, suggests that cacls was invented for Windows NT 4.0 and is not suitable for use in Windows 2000 or later ^[1]. Specifically, it notes that ACL inheritance was added in Windows 2000, but that neither the cacls utility nor the xcacls utility later released by Microsoft was properly updated to support it. The document expresses the opinion that Microsoft should have removed the utility from Windows 2000 rather than leave it in, only to have unwitting users internally disrupt a volume's security descriptors (by incorrectly ordering ACEs) in a way that's difficult to detect or recover from.

This project's documentation explains that using the built-in cacls to apply permissions to a tree of folders creates a copy of the ACL for every single file and folder and applies it individually, which was correct under Windows NT 4.0, but which is disruptive in Windows 2000 and later, where the expected behavior is to create a single ACL marked as "inheritable" so future changes propagate automatically.

Windows Server 2003 Service Pack 2, Windows Vista and Windows Server 2008 include icacls, an updated partial replacement for cacls. icacls is designed to not only display and modify ACLs, but also to backup and restore discretionary ACLs for files and directories. However, it is not a complete replacement of cacls, for example, it cannot be used to hand-code a Security Descriptor Definition Language (SDDL) string.

The 'icacls' command line utility is also able to show and set mandatory labels of an object for interaction with Windows Integrity Control (WIC) which is most noticeable in the Internet Explorer Protected Mode, which automatically sets Low integrity to Internet objects to protect the operating system from malicious web content in the browser.

icacls has a very comprehensive syntax and switches.

'icacls' name /save aclfile [/T] [/C] [/L] [/Q] store the acls for all the matching names into aclfile for later use with /restore.

'icacls' directory [/substitute SidOld SidNew … /restore aclfile [/C] [/L] [/Q] applies the stored acls to files in directory.

'icacls' name /setowner user [/T] [/C] [/L] [/Q] changes the owner of all matching names.

'icacls' name /findsid Sid [/T] [/C] [/L] [/Q] finds all matching names that contain an ACL explicitly mentioning Sid.

'icacls' name /verify [/T] [/C] [/L] [/Q] finds all files whose ACL is not in canonical form or whose lengths are inconsistent with (access control entry) ACE counts.

'icacls' name /reset [/T] [/C] [/L] [/Q] replaces acls with default inherited acls for all matching files

'icacls' name [/grant[:r] Sid:perm… [/deny Sid:perm … [/remove:d Sid… [/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy…

/grant[:r] Sid:perm grants the specified user access rights. With :r, the permissions replace any previously granted explicit permissions. Without :r, the permissions are added to any previously granted explicit permissions.

/deny Sid:perm explicitly denies the specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.

/remove[:d Sid removes all occurrences of Sid in the acl. With :g, it removes all occurrences of granted rights to that Sid. With :d, it removes all occurrences of denied rights to that Sid.

/setintegritylevel [(CI)(OI)]Level explicitly adds an integrity ACE to all matching files. The level is to be specified as one of: L[ow] M[edium] H[igh] Inheritance options for the integrity ACE may precede the level and are applied only to directories.

Note: Security Identifiers (SIDs) may be in either numerical or friendly name form. If a numerical form is given, affix a * to the start of the SID.

• /T indicates that this operation is performed on all matching files/directories below the directories specified in the name.

• /C indicates that this operation will continue on all file errors. Error messages will still be displayed.

• /L indicates that this operation is performed on a symbolic link itself versus its target.

• /Q indicates that icacls should suppress success messages.

'icacls' preserves the canonical ordering of access control entries:

• Explicit denials
• Explicit grants
• Inherited denials
• Inherited grants

perm is a permission mask and can be specified in one of two forms:

• a sequence of simple rights:
• F - full access
• M - modify access
• RX - read and execute access
• R - read-only access
• W - write-only access

a comma-separated list in parenthesis of specific rights:

• D - delete
• RC - read control
• WDAC - write DAC
• WO - write owner
• S - synchronize
• AS - access system security
• MA - maximum allowed
• GR - generic read
• GW - generic write
• GE - generic execute
• GA - generic all
• RD - read data/list directory
• WD - write data/add file
• AD - append data/add subdirectory
• REA - read extended attributes
• WEA - write extended attributes
• X - execute/traverse
• DC - delete child
• RA - read attributes
• WA - write attributes

inheritance rights may precede either form and are applied only to directories:

• (OI) - object inherit
• (CI) - container inherit
• (IO) - inherit only
• (NP) - don’t propagate inherit

icacls c:\windows\* /save AclFile /T

- Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.

icacls c:\windows\ /restore AclFile

- Will restore the Acls for every file within AclFile that exists in c:\windows and its subdirectories

icacls file /grant Administrator:(D,WDAC)

- Will grant the user Administrator Delete and Write DAC permissions to file

icacls file /grant *S-1-1-0:(D,WDAC)

- Will grant the user (or security group) defined by sid S-1-1-0 Delete and Write DAC permissions to file

icacls c:\windows\explorer.exe

- View the discretionary access list and integrity level

icacls file /setintegritylevel H

- Modify mandatory integrity level of an object to High

SetACL

• Microsoft.com's explanation of CACLS
• SS64.com's description
• Computerhope.com's description
• SetACL documentation on SourceForge.
• Introduction to Windows Integrity Control
• ICACLS - ACLs Command line management: The Lazy Admin blog