DOCUMENT:Q162786 10-AUG-2001 [winnt] TITLE :Undocumented CACLS: Group Permissions Capabilities PRODUCT :Microsoft Windows NT PROD/VER:WinNT:3.5,3.51,4.0 OPER/SYS: KEYWORDS:kbtool ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0 - Microsoft Windows NT Server versions 3.5, 3.51, 4.0 ------------------------------------------------------------------------------- SUMMARY ======= CACLS is a Windows NT command-line utility that is used to display or modify file or directory access control lists (ACLs). The online help files for CACLS do not mention that CACLS will add, modify, or delete group permissions, as well as user permissions, from NTFS ACLs. CACLS can be used to modify the ACLs on files or directories. This ability is often useful for adding or deleting a user or group permission without modifying other existing permissions. The GUI in File Manager or Windows NT Explorer is currently limited to replacing the ACLs. CACLS can also be used to change permissions for groups with names containing a space: when specifying such a group, it is necessary to delimit the name of the group with double quotes (for example, "group name"). CACLS cannot be used to create "special" permissions. It is currently limited to the permissions No Access, Read, Change, and Full Control. The "None" permission and the "Deny" parameter in CACLS are equivalent to "No Access" in the GUI. The "Revoke" parameter deletes an explicit permission but does not prevent the use of permissions that a user might have through membership in other groups. For additional information on automation using CACLS, please see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q135268 TITLE : How to Use CACLS.EXE in a Batch File Examples -------- Follow these steps to change the ACLs of all files and directories on drive C to allow full control for the Administrators local group: 1. Open a command prompt. 2. Type: cacls c:\ /t /e /g Administrators:f Follow these steps to change the ACLs of all files in the C:\Temp directory (but not its subdirectories), to add the read permission for the Domain Users global group and the Users local group, and to remove any explicit permissions for the Everyone group: 1. Open a command prompt. 2. Type: cacls c:\temp\*.* /e /g "Domain Users":r Users:r /r Everyone MORE INFORMATION ================ CACLS: Displays or modifies access control lists (ACLs) of files or directories. Usage: cacls filename [/t] [/e] [/c] [/g user|group:perm] [/r user|group [...]] [/p user|group:perm [...]] [/d user|group [...]] Parameters: filename Displays ACLs of specified directory, file or files. /t Changes ACLs of specified files in the current directory and all subdirectories. /e Edit ACL instead of replacing it. /c Continue changing ACLs, ignoring errors. /g user|group:perm Grant specified user or group access permissions. perm can be: r Read c Change (write) f Full control /r user Revoke specified user's or group's access permissions. /p user|group:perm Replace specified user's or group's access permissions. perm can be: n None r Read c Change (write) f Full control /d user|group Deny specified user access. You can specify more than one file, user, or group in a command. Wildcard characters in file and directory names are supported. Group names containing a space need to be contained in double quotes, for example "group name". Additional query words: security ====================================================================== Keywords : kbtool Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTW350 kbWinNTW350search kbWinNTW351search kbWinNTW351 kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTS351search kbWinNTS350search Version : WinNT:3.5,3.51,4.0 Hardware : x86 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.