Cacls
Encyclopedia
cacls and icacls are Microsoft Windows
native command line utilities capable of displaying and modifying the access control list
s (ACLs) on folders and files
. An access control list is a list of permissions for securable object, such as a file or folder, that controls who can access it.
all of which offer improvements.
team, have produced their own command-line and scriptable permissions editors.
The documentation of a third-party free open-source replacement for cacls hosted on SourceForge
, known as SetACL
, suggests that cacls was invented for Windows NT 4.0
and is not suitable for use in Windows 2000
or later . Specifically, it notes that ACL inheritance was added in Windows 2000, but that neither the cacls utility nor the xcacls utility later released by Microsoft was properly updated to support it. The SetACL documentation suggests that Microsoft should have removed the utility from Windows 2000 rather than leave it in, only to have unwitting users internally disrupt a volume's security descriptor
s (by incorrectly ordering ACEs) in a way that's difficult to detect or recover from.
This project's documentation explains that using the built-in cacls to apply permissions to a tree of folders creates a copy of the ACL for every single file and folder and applies it individually, which was correct under Windows NT 4.0, but which is disruptive in Windows 2000 and later, where the expected behavior is to create a single ACL marked as "inheritable" so future changes propagate automatically.
Service Pack 2, Windows Vista
and Windows Server 2008 include icacls, a command-line utility that can display, modify, backup and restore ACLs for files and folders, as well as to set mandatory labels of Windows Integrity Control for them. It is not a complete replacement for cacls, however. For example, it cannot be used to hand-code a Security Descriptor
Definition Language (SDDL) string.
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
native command line utilities capable of displaying and modifying the access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s (ACLs) on folders and files
Computer file
A computer file is a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is durable in the sense that it remains available for programs to use after the current program has finished...
. An access control list is a list of permissions for securable object, such as a file or folder, that controls who can access it.
CACLS
The cacls utility is a command line editor of permissions in Windows 2000 and later. Microsoft has produced newer utilities such as- xcacls.exe,
- xcacls.vbs,
- fileacl and
- icacls (Windows Vista, Windows 7),
all of which offer improvements.
SetACL-project
Others, such as the SetACLSetACL
SetACL is a free software utility for manipulating security descriptors on Microsoft Windows. It is available under the GNU Lesser General Public License as a command line utility and as an ActiveX component.-Features:...
team, have produced their own command-line and scriptable permissions editors.
The documentation of a third-party free open-source replacement for cacls hosted on SourceForge
SourceForge
SourceForge Enterprise Edition is a collaborative revision control and software development management system. It provides a front-end to a range of software development lifecycle services and integrates with a number of free software / open source software applications .While originally itself...
, known as SetACL
SetACL
SetACL is a free software utility for manipulating security descriptors on Microsoft Windows. It is available under the GNU Lesser General Public License as a command line utility and as an ActiveX component.-Features:...
, suggests that cacls was invented for Windows NT 4.0
Windows NT 4.0
Windows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
and is not suitable for use in Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
or later . Specifically, it notes that ACL inheritance was added in Windows 2000, but that neither the cacls utility nor the xcacls utility later released by Microsoft was properly updated to support it. The SetACL documentation suggests that Microsoft should have removed the utility from Windows 2000 rather than leave it in, only to have unwitting users internally disrupt a volume's security descriptor
Security descriptor
Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name...
s (by incorrectly ordering ACEs) in a way that's difficult to detect or recover from.
This project's documentation explains that using the built-in cacls to apply permissions to a tree of folders creates a copy of the ACL for every single file and folder and applies it individually, which was correct under Windows NT 4.0, but which is disruptive in Windows 2000 and later, where the expected behavior is to create a single ACL marked as "inheritable" so future changes propagate automatically.
ICACLS
Windows Server 2003Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
Service Pack 2, Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and Windows Server 2008 include icacls, a command-line utility that can display, modify, backup and restore ACLs for files and folders, as well as to set mandatory labels of Windows Integrity Control for them. It is not a complete replacement for cacls, however. For example, it cannot be used to hand-code a Security Descriptor
Security descriptor
Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name...
Definition Language (SDDL) string.
Examples
| Command | Result |
|---|---|
| icacls c:\windows\* /save AclFile /T |
Saves the ACLs for all items in c:\windows folder and its subfolders into a file named AclFile. |
| icacls c:\windows\ /restore AclFile | Restores the ACLs for every file within a file named AclFile to any relevant item that exists in c:\windows folder and its subfolders |
| icacls file /grant Administrator:(D,WDAC) | Grants the user named "Administrator" the Delete and Write permissions to a file named file. |
| icacls file /grant *S-1-1-0:(D,WDAC) | Grants the user or security group whose security identifier Security Identifier In the context of the Microsoft Windows NT line of operating systems, a Security Identifier is a unique name which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000... is S-1-1-0 the Delete and Write permissions to a file named file. |
| icacls c:\windows\explorer.exe | Displays the access control list for a file named c:\windows\explorer.exe. |
| icacls file /setintegritylevel H | Modifies the mandatory integrity level of an object named file to High |
External links
- Microsoft links
- Microsoft Windows XP Professional Product Documentation: "Cacls"
- Microsoft Knowledgebase: "How to use Xcacls.exe to modify NTFS permissions"
- Microsoft Knowledgebase: "How to use Xcacls.vbs to modify NTFS permissions"
- Microsoft Technet: "Xcacls Overview"
- Microsoft Technet: Windows Server 2008 Command-line Reference: "Icacls"
- MSDN Library: "DACLs and ACEs"
- SS64.com's description
- Computerhope.com's description
- SetACL documentation on SourceForge.
- Introduction to Windows Integrity Control
- ICACLS - ACLs Command line management: The Lazy Admin blog