Computer Performance, Windows Server 2003

3CX Phone System for Windows - VOIP IP PBX

3CX Phone System for Windows -
VOIP IP PBX

Get your 5 free applications now

Application Publishing with 2X ApplicationServer

CACLS - Modify Discretionary Access Control Lists

Guy RecommendsGFi Events Manager

A solution to monitor, manage and archive thousands of events that are generated by devices across the entire network. 
Download FREE trial

Introduction to CACLS - Modify Discretionary Access Control Lists

CACLS is a command-line program for changing a folder's permissions.  It is my view that CACLS is made for scripting.  But first a reminder of the manual, GUI method for adjusting a folder's Access Control Lists (ACL).  If you right click a folder and select the Security tab then you can examine or even modify the permissions (ACL).

On this page I will answer the other questions that you may be asking about CACLS.  For example, where does CACLS come from?  How do you use the CACLS switches?

Topics for CACLS (Modify Discretionary Access Control Lists)

  ‡

Where does CACLS come from?

You can trace the history of CACLS right back to Windows NT 3.5.  These days CACLS is built-in to Windows 2003, XP and similar modern operating systems.  Just create a cmd prompt session and type: cacls.

When would you need CACLS?

When would you call for CACLS?  If you had the job of modifying lots of folder permissions then the normal Explorer GUI would be tedious. 

For example, you need to reset permissions on User's home folders to:

username: full control
administrators: full control
users: no entries. 

If you think it through, setting 'Deny everyone', or even 'Deny users', may not be smart, a bit like shooting yourself in the foot.

TrainSignal - Recommended Training VideosMore Information. As an MCT trainer, I can thoroughly endorse TrainSignal because they deliver practical hands on training.  In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example File Server or go for a combination of modules.  See more about Windows 2003 training here

How do the CACLS Switches work?

Here is a purely personal view of how to understand the CACLS syntax.  Begin by dividing the CACLS command into three parts thus:

CACLS  1) folder name   2) replace, edit or revoke entries   3) grant user permission

Example: cacls  c:\home   /t     /g guyt:F

1) cacls c:\home - this is the path to the folder whose permissions you wish to change.

2) /t - replace (with guyt's permissions). Note, /t wipes out everyone else's permissions.  An alternative would be /e meaning edit or append permissions.

3) /g guyt:f - Think of /g as standing for Grant.  In this instance, the command grants guyt full control.  An alternative would be :r (read). Note the colon: incidentally, with cacls there isn't a comma in sight.

What is the full list of CACLS switches?

/t  Think of the 't' as meaning trash the original security permissions.

/e  Think of the 'e' as CACLS inviting you to edit.  Alternatively think of 'e' for append or correct one that went wrong.

/g  This is the main switch, 'g' means grant; as in: grant me the permissions.  This switch requires a user, followed by a colon and letter for the permission. Here are two examples:
/g guyt:f  full control for guyt. 
/g freddy:r   read only for freddy.

/p  Almost the same as /g.  CACLS /p replaces where as /g appends.

/r  Revokes, removes a named user from the Access Control List.  Classic usage would be /r users.

/d  'd' stands for deny.  Remember that if deny the users group the result is that nobody is able to see the files, so use /d sparingly.

/c 'c' is for continue.  This switch works for CACLS like, 'on error resume next' works in VBScript.  Adding /c says to CACLS, 'Carry on despite an error'.

Setting CACLS for Multiple Users

The purpose of this section is to examine how to incorporate CACLS in a VBScript, which sets multiple users.  It took me 30 minutes to work out how to master this, when I finally cracked cacls syntax it was so simple.  Let me begin with configuring cacls from the command line.  Here is an example to set the permissions for three users, user1, user2 and admin6.

/g user1:f user2:r admin6:c.  The pattern is one /g and then each user followed by a colon and the permission.  My mistakes were multiple /g and multiple /t - wrong.  Note again, no commas in sight.

If you have a problem then you could experiment with: domain\user instead of user1. Full example:  /g domx\user:c

What gave me even more grief were groups with spaces "Domain Admin".  You really need to pay attention to detail with names with spaces.  Firstly, believe that CACLS can handle "Domain Admins", secondly pay attention to the speech marks.

From the command line it's moderately tricky:
cacls  /t /g "Domain Admins":c guyt:r

In a VBScript it seemed impossible, until I hit upon the double, double quotes. ""Domain Admins""

  

If objFSO.FolderExists(strHomeFolder) Then
' Assign user permission to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " & strHomeFolder _
& " /t /g ""Domain Admins"":c guyt:r", 2, True)
If intRunError <> 0 Then
Wscript.Echo "Error assigning permissions for user " _
& strUser & " to home folder " & strHomeFolder
End If

 

This script is meant for those experienced with VBScript.  See here for an Example of VBScript and CACLS

Killer use of CACLS

A classic use of CACLS is to set permissions on users' home directory.  For those who like to provide file shares for their users there is a need to control the ACL permissions.  This gets tedious where there are numerous subdirectories, each with different permissions.  The solution is a VBScript with the appropriate CACLS commands.  As ever, you could always issue the equivalent instructions, complete with switches, from the command prompt.

Solarwinds IpMonitorGuy recommends: The SolarWinds ipMonitor

I am attracted to ipMonitor because it inhabits that zone of part work, part play; Guy just could not put the dashboard away.  This excellent performance monitor will get you started in the quest to remove bottlenecks on your network.  SolarWinds provides this fully-functioning product free for 21 days.  So download and install ipMonitor, then start scrutinizing your computers CPU, memory and disk performance. 

Installing ipMonitor is a breeze, but learn from gung-ho Guy's mistake, and install SNMP on each computer that you wish to monitor.  What sealed my unreserved recommendation of SolarWinds is their support team, you will get expert help even when you are evaluating the ipMonitor.

Download SolarWinds ipMonitor (21 days eval)

Summary of Cacls

CACLS has a versatile set of command-line switches, which allow you automate setting folder permissions.  Launch Explorer to check a folder's Security tab, decide on the changes, then run CACLS form a cmd window.  I find it useful to break down the CALS command in to three parts:
Folder to change, edit or replace, permissions to grant:
Example: cacls c:\home /t /g administrators: f

See Also

ADSI Edit   ● ADSI More Examples   ● ADModify   LDP   ● Replmon   Performance Monitor Tool

 *

Google

Web  This Website

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2009 Computer Performance LTD All rights reserved

Please report a broken link, or an error.