Cacls

 

Applies To: Windows Vista, Windows Server 2008, Windows Server 2012, Windows 8

Displays or modifies discretionary access control lists (DACL) on specified files.

Syntax

cacls <filename> [/t] [/m] [/l] [/s[:sddl]] [/e] [/c] [/g user:<perm>] [/r user [...]] [/p user:<perm> [...]] [/d user [...]]

Parameters

Parameter

Description

<filename>

Required. Displays ACLs of specified files.

/t

Changes ACLs of specified files in the current directory and all subdirectories.

/m

Changes ACLs of volumes mounted to a directory.

/l

Work on the Symbolic Link itself versus the target.

/s:sddl

Replaces the ACLs with those specified in the SDDL string (not valid with /e, /g, /r, /p, or /d).

/e

Edit ACL instead of replacing it.

/c

Continue on access denied errors.

/g user:<perm>

Grant specified user access rights.

Valid values for permission:

n: none

r: read

w: write

c: change (write)

f: full control

/r user [...]

Revoke specified user's access rights (only valid with /e).

[/p user:<perm> [...]

Replace specified user's access rights.

Valid values for permission:

n: none

r: read

w: write

c: change (write)

f: full control

[/d user [...]

Deny specified user access.

/?

Displays help at the command prompt.

Remarks

  • This command has been deprecated. Please use Icacls instead.

  • Use the following table to interpret the results:

    Output

    Access control entry (ACE) applies to

    OI

    Object inherit. This folder and files.

    CI

    Container inherit. This folder and subfolders.

    IO

    Inherit only. The ACE does not apply to the current file/directory.

    No output message

    This folder only.

    (OI)(CI)

    This folder, subfolders, and files.

    (OI)(CI)(IO)

    Subfolders and files only.

    (CI)(IO)

    Subfolders only.

    (OI)(IO)

    Files only.

  • You can use wildcards (? and *) to specify multiple files.

  • You can specify more than one user.

Additional references