Introduction to CACLS
- Modify Discretionary Access Control Lists
CACLS is a command-line program for changing a folder's permissions. It is my view that CACLS is made for scripting. But first a reminder of the manual, GUI method for adjusting a folder's Access Control Lists (ACL). If you right click a folder and select the Security tab
then you can examine or even modify the
permissions (ACL). On this page I will answer the other questions that you may be asking about CACLS. For example,
where does CACLS come from? How do you use the CACLS switches?
Topics for CACLS
(Modify Discretionary Access Control Lists)
‡
You can trace the history of
CACLS right back to Windows NT 3.5. These days CACLS is built-in to Windows 2003, XP and similar modern operating systems. Just create a cmd prompt session and
type: cacls.
When would you call for CACLS?
If you had the job of modifying lots of folder permissions then the normal Explorer GUI would be tedious.
For example, you need to reset permissions on User's home folders to:
username: full control
administrators: full control
users: no entries.
If you think it through, setting 'Deny everyone', or even 'Deny users', may not be smart, a bit like shooting yourself in the foot.
Here is a purely personal view of how to understand the CACLS syntax. Begin by dividing the CACLS command into three parts thus:
CACLS 1) folder name 2) replace, edit or revoke entries 3) grant user permission
Example: cacls c:\home /t /g guyt:F
1)
cacls c:\home - this is the path to the folder whose permissions you wish to change.
2)
/t - replace (with guyt's permissions). Note, /t wipes out everyone else's permissions. An alternative would be /e meaning edit or append permissions.
3)
/g guyt:f - Think of /g as standing for Grant. In this instance, the command grants guyt full control. An alternative would be :r (read). Note the colon: incidentally, with cacls there isn't a comma in sight.
Guy Recommends: SolarWinds Engineer's Toolset v10
The Engineer's Toolset v10 provides a comprehensive console of utilities
for troubleshooting computer problems. Guy says it helps me
monitor what's occurring on the network, and the tools teach me more about how the system
itself operates.
There are so many good gadgets, it's like having free rein of a
sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.
Download your copy of the Engineer's Toolset v 10
/t Think of the 't' as meaning trash the original security permissions.
/e Think of the 'e' as CACLS inviting you to edit. Alternatively think of 'e' for append or correct one that went wrong.
/g This is the main switch, 'g' means grant; as in: grant me the permissions. This switch requires a user, followed by a colon and letter for the permission. Here are two examples:
/g guyt:f full control for guyt.
/g freddy:r read only
for freddy.
/p Almost the same as /g. CACLS /p replaces where as /g appends.
/r Revokes, removes a named user from the Access Control List. Classic usage would be /r users.
/d 'd' stands for deny. Remember that if deny the users group the result is that nobody is able to see the files, so use /d sparingly.
/c 'c' is for continue. This switch works for CACLS like, 'on error resume next' works in VBScript. Adding /c says to CACLS, 'Carry on despite an error'.
The purpose of this section is to examine how to incorporate CACLS in a VBScript, which sets multiple users.
It took me 30 minutes to work out how to master this, when I finally cracked cacls syntax it was so simple. Let me begin with configuring cacls from the command line. Here is an example to set the permissions for three users,
user1, user2 and admin6.
/g user1:f user2:r admin6:c. The pattern is one /g and then each user followed by a colon and the permission. My mistakes were multiple /g and multiple /t - wrong. Note again, no commas in
sight.
If you have a problem then you could experiment with: domain\user instead of user1. Full example: /g domx\user:c
What gave me even more grief were groups with spaces "Domain Admin". You really need to pay attention to detail with names with spaces. Firstly, believe that CACLS can handle "Domain
Admins", secondly pay attention to the speech marks.
From the command line it's moderately tricky:
cacls /t /g "Domain Admins":c guyt:r
In a VBScript it seemed impossible, until I hit upon the double, double quotes. ""Domain Admins""
If objFSO.FolderExists(strHomeFolder) Then
' Assign user permission to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " & strHomeFolder _
& " /t /g ""Domain Admins"":c guyt:r",
2, True)
If intRunError <> 0 Then
Wscript.Echo "Error assigning permissions for user " _
& strUser & " to home folder " & strHomeFolder
End If
This script is meant for those experienced with VBScript. See here for an Example of VBScript and CACLS
A classic use of CACLS is to set permissions on users' home directory. For those who like to provide file shares for their users there is a need to control the ACL permissions. This
gets tedious where there are numerous subdirectories, each with different permissions. The solution is a VBScript with the appropriate CACLS commands. As ever, you could always issue the equivalent
instructions, complete with switches, from the command prompt.
 Guy
Recommends: A Free tool from SolarWinds: Config Generator
Config Generator (CG) is a free tool, which puts you in charge of
controlling changes to network routers and other SNMP devices.
Boost your network performance by activating network device features
you've already paid for.
Guy says that for newbies the biggest benefit of this free tool is that
it will provide the impetus for you to learn more about configuring the SNMP
service with its 'Traps' and 'Communities'. This is a brand new free utility which Solarwinds released on January 26th
2010.
Download your free copy of the Config Generator
CACLS has a versatile set of command-line switches, which allow you automate setting folder permissions. Launch Explorer to check a folder's Security tab, decide on the changes, then run CACLS form a
cmd window. I find it useful to break down the CALS command in to three parts:
Folder to change, edit or replace, permissions to grant:
Example: cacls c:\home /t /g administrators: f
See Also
● ADSI Edit
● ADSI More Examples ●
ADModify
● LDP ●
Replmon
●
Performance Monitor Tool
|
