'cacls' NT command

excerpted from the O'Reilly book Windows NT In a Nutshell by Eric Pearce.

The cacls command adminsters Access Control Lists (ACLs) for files and directories.  It offers much finer control over ACLs than the GUI tools, such as Windows NT Explorer and File Manager, but it has a more complex view of permissions.

Options

filename(s)

Display ACLs for filename(s)

/t

Apply changes recursively.  Change ACLs of specified files in current directory and any subdirectories.

/e

Add changes to ACL instead of overwriting previous ACL.

/c

Continue changing ACLs even when there are errors.

/g username:right

Grant username one of the following rights: R for read, C for change (write), or F for full control.

/r username

Revoke rights from username.

/p username:right

Replace previous right for username with a new right.  The values for rights are: N for none, R for read, C for change (write), or F for full control.

/d username

Set user rights to NONE, explicitly denying access to the resource and overriding all other permissions for the user.

Examples

Display the ACL for the directory D:\users\eap:

cacls D:\users\eap

d:\users\eap\ Everyone:(CI)R
              BUILTIN\Administrators:(CI)C     
              BUILTIN\Account Operators:(CI)C  
              NT AUTHORITY\SYSTEM:(OI)(IO)F    
              NT AUTHORITY\SYSTEM:(CI)F        
              HOME\eap:(OI)(IO)F               
              HOME\eap:(CI)F                   

There are several concepts you need to understand before being able to decipher cacls output:

• A Container is a directory.

• An Object is a file.

• To inherit means to take the same rights as the parent directory.

• (OI) is Object Inherit.  Files (Objects) created under this directory will inherit this right.

• (CI) is Container Inherit.  Directories (Containers) created under this directory will inherit this right.

• (IO) is Inherit Only.  This right does not apply to this directory; it only specifies what would be the inherited rights for subdirectories.

The following explanations apply for the previous example:

• Line 1: Group Everyone has read (R) access to the current directory and subdirectories.

• Lines 2 and 3: Built-in Groups Adminstrators and Account Operators have create (C) access tothe current directory and subdirectories.

• Line 4: System has Inherit-Only full control (F) access for files.

• Line 5: System has full control (F) access to current directory and subdirectories.

• Line 6: User eap in the HOME domain has Inherit-Only full control to files.

• Line 7: User eap in the HOME domain has full control for directory and subdirectories.

Now that was easy, right?

Give user larryc create rights to the EAP directory and any subdirectory without disturbing other ACL information:

   cacls D:\users\eap /g larryc:C /e /t
   processed dir: d:\users\eap

Check the rights again:

cacls D:\users\eap

d:\users\eap\ Everyone:(CI)R
              BUILTIN\Administrators:(CI)C
              BUILTIN\Account Operators:(CI)C
              NT AUTHORITY\SYSTEM:(OI)(IO)F
              NT AUTHORITY\SYSTEM:(CI)F
              HOME\eap:(OI)(IO)F
              HOME\eap:(CI)F
              HOME\larryc:(OI)(CI)C

Sometimes you will be prompted for confirmation for the cacls command:

   cacls D:\users\eap /p larryc:f /t
   Are you sure (Y/N)?

You can bypass this confirmation by sending a Y character to the cacls command using echo:

   echo Y|cacls D:\users\eap /p larryc:f /t
   Are you user (Y/N)?processed dir: d:\users\eap

Make sure there is no space between the Y and the pipe ( | ) command.

Notes

The File Manager and Windows NT Explorer tend to be rather blunt tools for changing permissions.  If you want to make subtle changes (especially without overwriting previous settings), mastering the cacls syntax is a good idea.