Posted On 2005-11-1 by FortyPoundHead
Keywords: Command Reference
Tags: Windows Commandline Windows
Views: 2213


Display or modify Access Control Lists (ACLs) for files and folders.

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.


      CACLS pathname [options]

      CACLS pathname

key   options can be any combination of:  

   /T Search the pathname including all subfolders.

   /E Edit ACL (leave existing rights unchanged)  

   /C Continue on access denied errors.

   /G user:permission      Grant access rights, permision can be:          

         R Read

         C Change (write)

         F Full control

   /R user      Revoke specified user's access rights (only valid with /E).

   /P user:permission         Replace access rights, permission can be:          

         N None

         R Read

         C Change (write)

         F Full control

   /D user Deny specified user access.    

In all the options above "user" can be an NT Username or an NT Workgroup (either local or global).  If a username or groupname includes spaces then it must be surrounded with quotes e.g. "Authenticated Users".  If no options are specified CACLS will display the ACLs for the file(s)

Other features to try

Wildcards can be used to specify multiple files.

You can specify more than one user:permission in a single command.

The /D option will deny access to a user even if they belong to a group that does have access.


The CACLS command does not provide a /Y switch to automatically answer 'Y' to the Y/N prompt. However, you can pipe the 'Y' character into the CACLS command using ECHO, use the following syntax:


To edit a file you must have the "Change" ACL (or be the file's owner).  To use the CACLS command and change an ACL requires "FULL Control".  File "Ownership" will always override all ACL's - you always have Full Control over files that you create.

If CACLS is used without the /E switch all existing rights on [pathname] will be replaced, any attempt to use the /E switch to change a [user:permission] that already exists will raise an error. To be sure the CALCS command will work without errors use /E /R to remove ACL rights for the user concerned, then use /E to add the desired rights.

The /T option will only traverse subfolders below the current directory.


Adding new file permissions to a group of users

CACLS myfile.txt /E /G "Power Users":F

If we now grant Read permissions to the same group they will still have FULL control

CACLS myfile.txt /E /G "Power Users":R

This command will replace the first ACL granted and allow only Read access:

CACLS myfile.txt /E /P "Power Users":R

About the Author

FortyPoundHead has posted a total of 1974 articles.

Comments On This Post

No comments on this post yet!

Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.

Your IP address is:

Before you can post, you need to prove you are human. If you log in, this test goes away.

Code Links