Windows NT* Technical Article
22 March 1999
Add CACLS to your Windows NT Toolbox
Have you ever needed to alter file permissions - after the fact? For example, your partition has already been in use for some time, with all of your users creating files and sub-directories with security restrictions, and now you need to make a change globally to file permissions. How can you do it quickly and easily?
The best way is to go to the Command Prompt and run CACLS (Change ACLs).
Here's a question I've had to deal with, which makes a good example of how to use CACLS: Do you have an NTFS partition without SYSTEM group access? While security may be tight on your network, you should always allow the group SYSTEM to have FULL CONTROL over all files and directories on all NTFS partitions. This group represents the Windows NT operating system and having it included allows such actions as creating a pagefile on a partition and defragmenting all files. If you have no real restrictions on security, (if you leave EVERYONE with FULL CONTROL for instance), then this is not an issue.
You could use Explorer to modify security settings globally on the partition/directories/files, but there is a problem with this. This is in fact a destructive method of applying security settings, because it replaces the existing settings; Explorer is fine for changing permissions in one directory or one file, but it should only be used globally if you want to set all permissions on all files and/or sub-directories to the same values. If you want to add or remove permissions without destroying the existing ones, you need to use the CACLS command line interface executed from the root of the partition:
D:\>cacls/?
Displays or modifies access control lists (ACLs) of files
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all
subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command. You can specify more than one user in a command.
SPECIAL NOTE: You must be at the root directory level of the partition in question. Use this command:
CD drive_letter:
Now the command line:
CACLS * /e /t /g SYSTEM:F
SPECIAL NOTE: If you see this message: "Unable to perform a security operation on an object which has no associated security" you are executing this from a FAT partition. ACLs are only used on NTFS partitions.
The /e switch tells the CACLS command to EDIT the ACLs rather than REPLACE the existing permissions, and the /t switch tells it to apply the edit to subdirectories. Any number of ACCOUNT:PERM sets may follow the GRANT (/g)
switch. As you can see from the above listing, there is additional flexibility built into the CACLS command - its only limitation is the extent of selections for PERM values.
You may also need to add SYSTEM to the drive itself. Do that through Explorer with these steps:
- Start EXPLORER
- Right click the partition in question
- Click PROPERTIES
- Click the SECURITY tab
- Click the PERMISSIONS button
- If SYSTEM is not listed, click ADD and select SYSTEM
- Highlight SYSTEM
- Set TYPE OF ACCESS to FULL CONTROL
- Clear the REPLACE PERMISSIONS ON EXISTING FILES check box (it is checked by default)
- Click OK
CACLS is an excellent addition to your Windows NT toolbox. It can definitely pull you out a jam when NTFS permissions are not set properly.
Pat Bloodwell
Executive Software Technical Support
NT Server/Workstation