Computer Performance, Windows Server 2003

Guy recommends:
Free config generator

Solarwinds Config Generator

This CG will put you in charge of controlling changes to network routers and other SNMP devices.

Download your free Config Generator


CACLS - Modify Discretionary Access Control Lists

Introduction to CACLS - Modify Discretionary Access Control Lists

CACLS is a command-line program for changing a folder's permissions.  It is my view that CACLS is made for scripting.  But first a reminder of the manual, GUI method for adjusting a folder's Access Control Lists (ACL).  If you right click a folder and select the Security tab then you can examine or even modify the permissions (ACL).

On this page I will answer the other questions that you may be asking about CACLS.  For example, where does CACLS come from?  How do you use the CACLS switches?

Topics for CACLS (Modify Discretionary Access Control Lists)

  ‡

Where does CACLS come from?CACLS To modify ACL (Access control lists)

You can trace the history of CACLS right back to Windows NT 3.5.  These days CACLS is built-in to Windows 2003, XP and similar modern operating systems.  Just create a cmd prompt session and type: cacls.

When would you need CACLS?

When would you call for CACLS?  If you had the job of modifying lots of folder permissions then the normal Explorer GUI would be tedious. 

For example, you need to reset permissions on User's home folders to:

username: full control
administrators: full control
users: no entries. 

If you think it through, setting 'Deny everyone', or even 'Deny users', may not be smart, a bit like shooting yourself in the foot.

How do the CACLS Switches work?

Here is a purely personal view of how to understand the CACLS syntax.  Begin by dividing the CACLS command into three parts thus:

CACLS  1) folder name   2) replace, edit or revoke entries   3) grant user permission

Example: cacls  c:\home   /t     /g guyt:F

1) cacls c:\home - this is the path to the folder whose permissions you wish to change.

2) /t - replace (with guyt's permissions). Note, /t wipes out everyone else's permissions.  An alternative would be /e meaning edit or append permissions.

3) /g guyt:f - Think of /g as standing for Grant.  In this instance, the command grants guyt full control.  An alternative would be :r (read). Note the colon: incidentally, with cacls there isn't a comma in sight.

Guy Recommends: SolarWinds Engineer's Toolset v10Engineer's Toolset v10

The Engineer's Toolset v10 provides a comprehensive console of utilities for troubleshooting computer problems.  Guy says it helps me monitor what's occurring on the network, and the tools teach me more about how the system itself operates.

There are so many good gadgets, it's like having free rein of a sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.  Download your copy of the Engineer's Toolset v 10

What is the full list of CACLS switches?

/t  Think of the 't' as meaning trash the original security permissions.

/e  Think of the 'e' as CACLS inviting you to edit.  Alternatively think of 'e' for append or correct one that went wrong.

/g  This is the main switch, 'g' means grant; as in: grant me the permissions.  This switch requires a user, followed by a colon and letter for the permission. Here are two examples:
/g guyt:f  full control for guyt. 
/g freddy:r   read only for freddy.

/p  Almost the same as /g.  CACLS /p replaces where as /g appends.

/r  Revokes, removes a named user from the Access Control List.  Classic usage would be /r users.

/d  'd' stands for deny.  Remember that if deny the users group the result is that nobody is able to see the files, so use /d sparingly.

/c 'c' is for continue.  This switch works for CACLS like, 'on error resume next' works in VBScript.  Adding /c says to CACLS, 'Carry on despite an error'.

Setting CACLS for Multiple Users

The purpose of this section is to examine how to incorporate CACLS in a VBScript, which sets multiple users.  It took me 30 minutes to work out how to master this, when I finally cracked cacls syntax it was so simple.  Let me begin with configuring cacls from the command line.  Here is an example to set the permissions for three users, user1, user2 and admin6.

/g user1:f user2:r admin6:c.  The pattern is one /g and then each user followed by a colon and the permission.  My mistakes were multiple /g and multiple /t - wrong.  Note again, no commas in sight.

If you have a problem then you could experiment with: domain\user instead of user1. Full example:  /g domx\user:c

What gave me even more grief were groups with spaces "Domain Admin".  You really need to pay attention to detail with names with spaces.  Firstly, believe that CACLS can handle "Domain Admins", secondly pay attention to the speech marks.

From the command line it's moderately tricky:
cacls  /t /g "Domain Admins":c guyt:r

In a VBScript it seemed impossible, until I hit upon the double, double quotes. ""Domain Admins""

  

If objFSO.FolderExists(strHomeFolder) Then
' Assign user permission to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " & strHomeFolder _
& " /t /g ""Domain Admins"":c guyt:r", 2, True)
If intRunError <> 0 Then
Wscript.Echo "Error assigning permissions for user " _
& strUser & " to home folder " & strHomeFolder
End If

 

This script is meant for those experienced with VBScript.  See here for an Example of VBScript and CACLS

Killer use of CACLS

A classic use of CACLS is to set permissions on users' home directory.  For those who like to provide file shares for their users there is a need to control the ACL permissions.  This gets tedious where there are numerous subdirectories, each with different permissions.  The solution is a VBScript with the appropriate CACLS commands.  As ever, you could always issue the equivalent instructions, complete with switches, from the command prompt.

Solarwinds Config GeneratorGuy Recommends: A Free tool from SolarWinds: Config Generator

Config Generator (CG) is a free tool, which puts you in charge of controlling changes to network routers and other SNMP devices.  Boost your network performance by activating network device features you've already paid for.

Guy says that for newbies the biggest benefit of this free tool is that it will provide the impetus for you to learn more about configuring the SNMP service with its 'Traps' and 'Communities'.  This is a brand new free utility which Solarwinds released on January 26th 2010.

Download your free copy of the Config Generator

Summary of Cacls

CACLS has a versatile set of command-line switches, which allow you automate setting folder permissions.  Launch Explorer to check a folder's Security tab, decide on the changes, then run CACLS form a cmd window.  I find it useful to break down the CALS command in to three parts:
Folder to change, edit or replace, permissions to grant:
Example: cacls c:\home /t /g administrators: f

See Also

ADSI Edit   ● ADSI More Examples   ● ADModify   LDP   ● Replmon   Performance Monitor Tool

 *


Google

WebThis Site

Guy Recommends: SolarWinds LANSurveyorSolarwinds LANSurveyor

LANSurveyor will produce a neat diagram of your network topology.  But that's just the start; LANSurveyor can create an inventory of the hardware and software of your machines and network devices. 

Other neat features include dynamic update for when you add new devices to your network.  Download a Free Trial of LANSurveyor

 

Home Copyright © 1999-2010 Computer Performance LTD All rights reserved

Please report a broken link, or an error.