Microsoft DOS cacls command

Updated: 09/15/2017 by Computer Hope

About cacls

The cacls command enables a user to view and modify an ACL of a file.

Tip: If you want to change the read/write, hidden, system settings of the file see the attrib command.

Note: Cacls is now deprecated. If you are using Windows 7 or later, use Icacls instead.

Availability

Cacls is an external command and is available in the below Microsoft operating systems as cacls.exe.

Windows NT
Windows 2000
Windows XP
Windows Vista
Windows 7
Windows 8
Windows 10

Cacls syntax

Windows Vista and later syntax

Displays or modifies access control lists (ACLs) of files

CACLS file name [/T] [/M] [/L] [/S[:SDDL]] [/E] [/C] [/G user:perm]
               [/R user [...]] [/P user:perm [...]] [/D user [...]]
file name The name of the file to query for ACL data.
/T Changes ACLs of specified files in the current directory and all subdirectories.
/M Changes ACLs of volumes mounted to a directory.
/L Work on the Symbolic Link itself versus the target.
/S Displays the SDDL string for the DACL.
/S:SDDL Replaces the ACLs with those specified in the SDDL string (not valid with /E, /G, /R, /P, or /D).
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant access rights to user. Perm can be:
R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace the access rights of user. Perm can be:
N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.

Abbreviations:

CI - Container Inherit. The ACE will be inherited by directories.
OI - Object Inherit. The ACE will be inherited by files.
IO - Inherit Only. The ACE does not apply to the current file/directory.
ID - Inherited. The ACE was inherited from the parent directory's ACL.

Windows XP and earlier syntax

Displays or modifies access control lists (ACLs) of files

CACLS file name [/T] [/E] [/C] [/G user:perm] [/R user [...]]
               [/P user:perm [...]] [/D user [...]]
file name The name of the file to query for ACL data.
/T Changes ACLs of specified files in the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant access rights to user. Perm can be:
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace the access rights of user. Perm can be:
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.

Wildcards can be used to specify more that one file in a command. You can specify more than one user in a command.

Cacls Examples

cacls myfile.txt

The above command will display the ACLs for the file myfile.txt. Example output:

        READ_CONTROL
        FILE_READ_EA
        FILE_EXECUTE
        FILE_DELETE_CHILD

BUILTIN\Administrators:F 
Computer-Name\None:R 
NT AUTHORITY\SYSTEM:(special access:)

                   READ_CONTROL
                   SYNCHRONIZE
                   FILE_GENERIC_READ
                   FILE_GENERIC_WRITE

BUILTIN\Administrators:(special access:)

                      READ_CONTROL
                      SYNCHRONIZE
                      FILE_GENERIC_READ

Everyone:R 
cacls myfile.txt /e /g mrhope:f

The above command grants the user mrhope full rights (f) to the file myfile.txt. If the ACL for the file is then listed (for instance, using the first command above), the user mrhope will appear in the list.

Additional information

  • See our ACL definition for further information and related links on this term.