Microsoft DOS cacls command

Quick links

About cacls
Availability
Cacls Syntax
Examples

About cacls

The cacls command enables a user to view and modify the ACLs of a file.

Tip: If you want to change the read/write, hidden, system settings of the file see the attrib command.

Note: Cacls is now deprecated, please use Icacls if you are using Windows 7 or later.

Availability

The cacls.exe command is an external command and is available in the below Microsoft operating systems.

Windows NT
Windows 2000
Windows XP
Windows Vista
Windows 7
Windows 8

Syntax

Windows Vista and later syntax
Windows XP and earlier syntax

Windows Vista and later syntax

Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/M] [/L] [/S[:SDDL]] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

filename Displays ACLs.
/T Changes ACLs of specified files in the current directory and all subdirectories.
/M Changes ACLs of volumes mounted to a directory.
/L Work on the Symbolic Link itself versus the target.
/S Displays the SDDL string for the DACL.
/S:SDDL Replaces the ACLs with those specified in the SDDL string (not valid with /E, /G, /R, /P, or /D).
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be:  
R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N  
N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.

Abbreviations:

CI - Container Inherit. The ACE will be inherited by directories.
OI - Object Inherit. The ACE will be inherited by files.
IO - Inherit Only. The ACE does not apply to the current file/directory.
ID - Inherited. The ACE was inherited from the parent directory's ACL.

Windows XP and earlier syntax

Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

filename Displays ACLs.
/T Changes ACLs of specified files in the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None

R

Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.

Wildcards can be used to specify more that one file in a command. You can specify more than one user in a command.

Examples

cacls myfile.txt

Displays the ACLs for the myfile.txt file. Below is an example of what this may look like.

C:\WINNT\MYFILE.TXT BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

cacls myfile.txt /e /g mrhope:f

Grants the user "mrhope" full rights to the myfile.txt file. If user was to look at the ACLs again using the above command, they would now see that the mrhope user is in the list.

Additional information

  • See our ACL definition for further information and related links on this term.