Security from the command line with CACLS

Although using CACLS may seem daunting at first, the flexibility and power of this utility can make short work of security management tasks. It is installed on every Windows NT/2000/XP system, so give it a try when you need to change security.

Most of us have needed to add access to or remove access from an entire tree of folders for a person or group of people, each with its own permission set. This process is extremely tedious, no matter which version of Windows you're using. Let me introduce you to a little-known command line utility, Change Access Control ListS (CACLS), which can make the process of changing permissions much less tedious.

Why add or remove a single group or person?
One situation in which you may need to add a group to an entire tree of directories is if your organization adopts a policy requiring that a security officer have read access to all files for review for objectionable material. However, you won't necessarily want to give the security officer administrative privileges. You cannot universally apply a single set of permissions to every directory as you would if you were to add this group to the security group through the GUI. In other words, not every directory will have the same permissions as other directories.

In another situation, your organization may have decided that administrators shouldn't possess easy access to files. Although administrators have the Take Ownership right, which ultimately would allow them to open a file if necessary, the policy may be such that opening files shouldn't be easy or transparent. In that case, it would be necessary to explicitly remove the administrator security group from all user files. In both of these cases, there is the need to add or remove a single user or group from a whole tree of directories. This is something the GUI cannot do.

Security from the GUI
The GUI in Windows 2000 can be credited with a lot of things, but it doesn't offer a transparent security infrastructure. While it does a good job at the day-to-day task of adding and removing permissions from a user or group, it doesn't do well when that group needs to be added into an existing tree of directories that has its own settings.

From within the GUI, you can only choose to overwrite the permissions of the existing files and folders under a directory. You cannot selectively add or remove a single person or group from existing permissions. To accomplish this through the GUI would require going through each directory. This is a time-consuming and potentially error-prone activity.

Getting control from the command line
Luckily, Windows NT, Windows 2000, and Windows XP ship with a utility called CACLS. This utility is specifically designed to allow you to manage access control lists from the command line. CACLS can apply the same permissions to an entire tree, as well as edit existing permissions. This allows you to precisely control how permissions are added or removed one group (or user) at a time without disturbing other permissions that exist on the system.

The basic format of the CACLS command is CACLS <filename> [Options], where <filename> is the name of the file to be modified. The file name can contain wildcards, allowing the same command to be run across multiple files. If you run CACLS on a file without any options, instead of changing the access control list on the file, CACLS will display the existing access control list. There are several options for CACLS. But to start, let's focus on its ability to grant a new group access to a set of files with differing permissions. The first option is the /e or edit option. This option instructs the CACLS command to edit the existing permissions. Without this option, the CACLS command would operate as the GUI does and replace all of the existing permissions.

The second option for adding a new group is the /g or grant option. The /g option is followed by the name of the group or user, a colon, and the kind of access to be granted. The kind of access that can be granted is r for read only, w for write access, and f for full access. Admittedly, this doesn't have the same granularity available from the GUI; however, most people rarely use that granularity. To give a group called SecOfr read permissions to a file named userfile.doc, the command would look like this:
CACLS userfile.doc /e /g SecOfr:r

Removing a user from access to a file is similar. Instead of /g for grant, you use /r for remove. Thus, the command to remove access from userfile.doc for the SecOfr group would be:
CACLS userfile.doc /e /r SecOf:r

Now that you know how to add and remove permissions from the command line, it's time to see the real power. First, you can replace the file name with a wildcard such as *.*. This will cause the command to process every file in the current directory. If you couple this with the /t or recurse option, it is possible to modify the permissions in an entire directory tree. If you want to grant the SecOfr group read access to an entire directory tree, you would go to the root of the tree that you want to change and execute the command:
CACLS *.* /t /e /g SecOfr:r

This will change the security for every file and directory from the current location down.

Multiple grant and remove commands
Throughout these examples, I have been giving you one grant or one remove option at a time. This was an easy way to introduce the command, but it doesn't expose the power of including multiple grant and remove commands on the same command line. In reality, the CACLS command can accept any number of grant and remove commands stacked on the same command line. This means the syntax of the command can look like this:
CACLS *.* /t /e /g SecOfr:r /r administrators /g Readers:r /g Managers:F

Another option you should be aware of is the /d or deny option. This option causes a deny access control entry to be added to the access control list for the specified user or group. Because Windows NT/2000/XP security is such that any deny takes priority over any allow, you can effectively prevent a user or group from having access to a file. So, if you wanted to explicitly deny access to a file from the user account BadUser, you could execute:
CACLS userfile.doc /e /d BadUser

Quotes required
If your user names or groups have spaces in them, you will need to enclose them in quotes. This will prevent them from being processed as more than one parameter. For example, if you wanted to grant the Domain Admins group full access to a file, you could execute:
CACLS userfile.doc /e /g "Domain Admins":F

Editor's Picks

Free Newsletters, In your Inbox