Cacls.exe is a Windows NT/2000/XP command-line tool you can use to assign, display, or modify ACLs (access control lists) to files or folders. Cacls is an interactive tool, and since it’s a command-line utility, you can also use it in batch files. I first used Cacls in a batch file as part of a new user creation process and found it quite useful. You can also use Cacls in conjunction with other command-line tools. Used with other administration tools, Cacls will make it much easier to handle administrative tasks performed in large environments.
As a companion to this article, I created a Cacls reference guide you can download. It contains explanations of parameters, related resource links, and usage scenarios.
Working with Cacls
The usage of Cacls is from the command line for single tasks or within a batch file for multiple operations. The default location of Cacls.exe is in the %SystemRoot%\System32 folder for all installations of Windows NT, 2000, and XP and requires the NTFS file system.
Cacls usage is similar across all Windows versions, which eases the learning curve across new releases of Windows. To see the Cacls options, start a command prompt, and type cacls. This will show a list of options and parameters. The simplest operation that Cacls can perform is to display the ACLs of a file or folder with a command such as:
Cacls also allows for the use of wildcards, variables, and multiple permissions or users per line. Cacls’ rich feature set gives you some powerful configuration options. Table A shows the operations Cacls can perform, along with the corresponding option flags.
|Change ACLs of specified files in current folder and all subfolders||/T|
|Edit ACL instead of replacing it||/E|
|Continue on access-denied errors||/C|
Grant specified user access rights;
Permissions are Read (R), Write (W), Change (C), Full Control (F)
|Revoke ACLs||/R user|
Replace specified user’s access rights;
Permissions are None (N) and same options from grant operation
|Deny specified user access||/D user|
Windows 2000 and XP also provide three new descriptive display objects to the Cacls listing. These describe the inheritance attributes of Active Directory objects. For example, Figure A shows the results of the command cacls C:\xfer\user-1. This displays the ACLs for this sample user directory.
As you can see, the three inherited objects that are displayed are:
- CI—Container inherit
- OI—Object inherit
- IO—Inherit only
Using Cacls in batch files
One of Cacls’ administrative benefits is that you can pass it %1 variables when used in batch files. This can make Cacls an integral part of a large user administration process. To highlight this feature, let’s run through an example that will perform the following:
- Display the ACLs for a folder and its subfolders
- Grant a Change/Write ACL for the primary user of the folder and a Read ACL for another user
- Revoke an ACL for a different user to the same folder
The bat file (test-variable-pass.bat) will look like this:
echo This is C:\test-variable-pass.bat
echo Test of variable passing in Cacls
cacls %1 /t
cacls %1 /e /g user-1:W user-2:R
cacls %1 /e /r user-3
From the command prompt, I ran:
For a fancier situation, I could put a> c:\dump.txt at the end of the command prompt entry to pipe the results to a text file for review later. This is handy for searches on large operations. Of course, the %1 variable is not the only variable I could specify for use with this bat file. You can use any number of variables.
Limitations and workarounds
Cacls is a powerful tool for administering your ACLs, but you should be aware of a few quirks. Let’s take a look at some of these situations.
Answering the Y/N prompts automatically
When using the grant (/g) option, Cacls does not provide a way to answer Y or N within the parameters. The workaround is to use the resource kit tool XCacls (explained in the Cacls reference sheet available for download), which has an option to bypass the confirmation prompt. Another option is to place an echo y| or echo n before the Cacls command requiring the Y/N within your bat file.
Cacls (and XCacls) should be local
You can run Cacls from one computer to another, but it may not always work. A better practice is to perform Cacls operations at the computer in question or through a terminal service. For example, I can run a Cacls grant (/g) command from one computer to a resource on a remote computer over the network, and it will accept the ACL entry for a nonexistent account without error. Figure B shows where the 2kas.txt ACLs are displayed before and after the remote Cacls execution. (Notice the Account Domain not found message.)
Special file access right assignments
The Cacls tool limits ACL assignments to Read, Write and Change (which are the same), Full Control, or None. The special rights are: change permissions, take ownership, execute, and delete. These aren’t available with Cacls, but the XCacls tool can address this limitation.
Current folder and subfolders
When using the option /t, be prepared to wait. As you may be used to from the Windows NT GUI, rewriting the ACLs in Windows Explorer using the Replace Permissions On Subdirectories option can take a while. Windows 2000 and newer Windows versions support an automatic propagation of inheritable Access Control Entries (ACEs). But if you use Cacls with the /t option, recursion will occur and it will take some time.
Open or locked files
Cacls cannot display or modify the ACL state of files locked in exclusive use.
If you are giving Cacls or XCacls a test drive, beware that you may lock users or yourself out of a file, folder, or drive. Thus, thorough testing and experimenting on a test network system is a good idea.
Cacls is a powerful tool that can help manage your ACLs. You can also use it in batch files, which is particularly useful in large environments. Utilizing Cacls or XCacls in conjunction with other Windows administration tools can make management of large numbers of user accounts much easier.