CVibes.net

Home | Links ( Motorcycles, Computers )

Change Access Control Lists

All of the information, instructions, and recommendations on this Web site are offered on a strictly "as is" basis. Remember "Murphy's Law." Please take the proper precautions before attempting any of the tips or modifications listed here.

What is an Access Control List?

In computer security, an access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file XYZ gives Alice permission to delete file XYZ.

This page documents the results of using the cacls command at the command line.

Command:	Change ACLs (cacls.exe)
Operating System:	Windows XP Professional
File System:	NTFS

Usage

C:\>cacls.exe

Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

filename Displays ACLs. 

/T Changes ACLs of specified files in the current directory and all subdirectories. 

/E Edit ACL instead of replacing it. 

/C Continue on access denied errors. 

/G user:perm Grant specified user access rights. 

Perm can be: 
R Read 
W Write
C Change (write)
F Full control 

/R user Revoke specified user's access rights (only valid with /E). 

/P user:perm Replace specified user's access rights. 

Perm can be: 
N None
R Read
W Write
C Change (write)
F Full control 

/D user Deny specified user access. 

Wildcards can be used to specify more that one file in a command. 

You can specify more than one user in a command. 

Abbreviations: 

CI - Container Inherit. The ACE will be inherited by directories. 

OI - Object Inherit. The ACE will be inherited by files. 

IO - Inherit Only. The ACE does not apply to the current file/directory. 

Initial Results

Display current ACLs

C:\>cacls.exe c:\download.ec

c:\Download.ec BUILTIN\Administrators:(OI)(CI)F 

NT AUTHORITY\SYSTEM:(OI)(CI)F
RM225-S01\Admin:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA 

Grant the Users Group Change Rights: (Change = Modify)

C:\>cacls.exe c:\download.ec /G Users:c

Are you sure (Y/N)?y 
processed dir: c:\Download.ec 

Results

(/G) replaced the ACL with only what was specified. Thus all ACLs for all other users were lost. Not good.

C:\>cacls.exe c:\download.ec

c:\Download.ec BUILTIN\Users:(OI)(CI)C 

Lessons Learned

Use (/E) parameter to "Edit" the ACL so that existing entries are not lost.

cacls c:\download.ec /E /G Users:c

This command will edit (/e) the ACLs, rather than replace them, and recursively apply them (/t) to subdirectories.

How To Reset ACLs?

CACLS * /e /t /c /g Administrators:F System:F

This command will edit (/e) the ACLs, rather than replace them, and recursively apply them (/t) to subdirectories. CACLS will continue (/c) even when it hits an open file.

Batch Files

Give the Users Group Modify Rights to a Directory

mkdir "c:\Program File\BookList"
echo Giving Users group Modify permissions for the BookList directory
cacls "c:\Program File\BookList" /E /T /C /G Users:c

Configure My Documents so that all Users can modify

cacls "C:\My Documents" /E /T /C /G Users:c

Links

• Cacls Documentation
• Reset Security on all folders
• How do I reset the permissions on the Users directory?
• Logon Script FAQ