Posted On 2007-04-25 by FortyPoundHead
Keywords: Command Reference
Tags: Windows Commandline Windows
Views: 1952

Display or modify Access Control Lists (ACLs) for files and folders.

XCACLS filename [options] XCACLS filename
Key If no options are specified XCACLS will display the ACLs for the file(s)

options can be any combination of: /T Traverse all subfolders and change all matching files found.
/E Edit ACL instead of replacing it.

/x Edit ACL instead of replacing it; affect only ACEs that this user already owns*
/R user Revoke all access rights from the given user.

/D user Deny specified user access, this will over-ride all other permissions the user has. /C Continue on access denied errors.
/Y Replace user''s rights without verify /P user:permision[;FolderSpec] Replace user''s rights. see /G option below /G user:permision[;FolderSpec] Grant specified user access rights, permision can be: r Read
c Change (write)
f Full control p Change Permissions (Special access)
o Take Ownership (Special access)
x EXecute (Special access)
e REad (Special access)
w Write (Special access)
d Delete (Special access)
t Used only by FolderSpec. see below

* Option only valid in Windows 2003FolderSpec is a permission applied to a folder. If FolderSpec is not specified then permission will apply to both files and folders.
This allows you to set different permissions that will apply (through inheritance) when new files are added to the folder.

FolderSpec = ;T@ where @ is one of the rights above, when this is specified new files will inherit FolderSpec instead of permission. At least one folder access right must follow the T For example ;TF will apply full control (but ;FT is not valid)

Wildcards can be used to specify more that one file in a command. You can specify more than one user in a command. You can combine access rights.

When running this command it is important to use the correct version (NTFS standards have changed with different versions of Windows and XCACLS has been updated to suit)
Early versions of xcacls may give unpredictable results against an NTFS v5 partition.

xcacls.vbs is described in Q825751 and can be downloaded here - xcacls.vbs is an unsupported utility that addresses a limitation with the original xcacls.exe, specifically the inability to append permissions to a folder whose child objects have the inheritance flag set. The .vbs version does not suppport unc paths.


:: Allow guests the right to read and execute in MyFolder
XCACLS MyFolder /E /G guests:rx

:: Allow guests the Full Control permission in MyFolder and all subfolders
XCACLS MyFolder /T /E /G guests:f

:: Grant guests only read access to all files in and below MyFolder,
:: new folders created will be Read Access only, new files will not inherit any rights.
XCACLS MyFolder /T /P guests:R;Tr

:: Grant guests only execute access to all files in and below MyFolder
XCACLS MyFolder /T /P guests:x

:: Take Ownership of "Application Data" folder and grant Administrators Full control (:OF)
:: Preserve existing permissions (/E) & apply to subfolders (/T)
XCACLS "Application Data" /E /g Administrators:OF /T

About the Author

FortyPoundHead has posted a total of 1974 articles.

Comments On This Post

No comments on this post yet!

Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.

Your IP address is:

Before you can post, you need to prove you are human. If you log in, this test goes away.

Code Links