Home > Commands A-M > Commands Ca-Cg


Description | Syntax | Parameters | Switches | Related | Notes | Examples | Errorlevels | Availability

Display or modify Access Control Lists (ACLs) for files and folders.

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.



CACLS pathname [/C] [/D user] [[/E] [/R user [...]]] [/G user:permission [...]]] [/P user:permission [...]]] [/T]

Display file(s) ACLs:

CACLS pathname

pathname (NT3.5)
Wildcards can be used to specify multiple files.

/? (NTXP)
Display help.
/C (NT3.5)
Continue on access denied errors.
/D user (NT3.5)
Deny specified user access. Will deny access to a user even if they belong to a group that does have access.
/E (NT3.5)
Edit ACL (leave existing rights unchanged). Without the /E switch all existing rights on [pathname] will be replaced, any attempt to use the /E switch to change a [user:permission] that already exists will raise an error. To be sure the CALCS command will work without errors use /E /R to remove ACL rights for the user concerned, then use /E to add the desired rights.
/G user:permission (NT3.5)
Grant access rights, permision can be:
/P user:permission (NT3.5)
Replace access rights, permision can be:
/R user (NT3.5)
Revoke specified user's access rights (only valid with /E).
/T (NT3.5)
Search the pathname including all subfolders. Will only traverse subfolders below the current directory.
user (NT3.5)
In all the options "user" can be an NT Username or an NT Workgroup (either local or global)
If a username or groupname includes spaces then it must be surrounded with quotes e.g. "Authenticated Users"
You can specify more than one user:permission in a single command.


ATTRIB - Display or change file attributes
PERMS - Show permissions for a user
SHOWACL - Show file Access Control Lists (win 2000)
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders
Equivalent Linux BASH commands:
chmod - Change access permissions
chown - Change file owner and group


The CACLS command does not provide a /Y switch to automatically answer 'Y' to the Y/N prompt. However, you can pipe the 'Y' character into the CACLS command using ECHO, use:

    ECHO Y| CACLS /g username:permission

note: Do not include a space between the 'Y' and the pipe symbol.

To edit a file you must have the "Change" ACL (or be the file's owner).

To use the CACLS command and change an ACL requires "FULL Control"

File "Ownership" will always override all ACL's - you always have Full Control over files that you create.


Adding new file permissions to a group of users:

    CACLS myfile.txt /E /G "Power Users":F

If we now grant Read permissions to the same group they will still have FULL control:

    CACLS myfile.txt /E /G "Power Users":R

This command will replace the first ACL granted and allow only Read access:

    CACLS myfile.txt /E /P "Power Users":R



Windows NT
NT3.5 NT4 NT2000 NTXP