Calcs command

Updated: 11/12/2023 by Computer Hope
cacls command

The cacls command enables users to view and modify an ACL (access control list) of a file.

Tip

To change the read/write, hidden, system settings of the file see the attrib command.

Note

Cacls is now deprecated. For Windows 7 or later, use icacls instead.

Availability

Cacls is an external command and is available for the following Microsoft operating systems as cacls.exe.

Cacls syntax

Windows Vista and later syntax

Displays or modifies ACLs (access control lists) of files.

CACLS file name [/T] [/M] [/L] [/S[:SDDL]] [/E] [/C] [/G user:perm]
               [/R user [...]] [/P user:perm [...]] [/D user [...]]
file name The name of the file to query for ACL data.
/T Changes ACLs of specified files in the current directory and all subdirectories.
/M Changes ACLs of volumes mounted to a directory.
/L Work on the symbolic link itself versus the target.
/S Displays the SDDL string for the DACL.
/S:SDDL Replaces the ACLs with those specified in the SDDL string (not valid with /E, /G, /R, /P, or /D).
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant access rights to user. Perm can be:
R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace the access rights of user. Perm can be:
N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.

Abbreviations:

CI - Container inherit. The ACE (access control entry) will be inherited by directories.
OI - Object inherit. The ACE will be inherited by files.
IO - Inherit only. The ACE does not apply to the current file or directory.
ID - Inherited. The ACE was inherited from the parent directory's ACL.

Windows XP and earlier syntax

Displays or modifies ACLs (access control lists) of files.

CACLS file name [/T] [/E] [/C] [/G user:perm] [/R user [...]]
               [/P user:perm [...]] [/D user [...]]
file name The name of the file to query for ACL data.
/T Changes ACLs of specified files in the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant access rights to user. Perm can be:
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace the access rights of user. Perm can be:
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.

Wildcards can specify more than one file or user in a command.

Cacls examples

cacls myfile.txt

The command above displays the ACLs for the file myfile.txt. Example output:

        READ_CONTROL
        FILE_READ_EA
        FILE_EXECUTE
        FILE_DELETE_CHILD
BUILTIN\Administrators:F 
Computer-Name\None:R 
NT AUTHORITY\SYSTEM:(special access:)
                   READ_CONTROL
                   SYNCHRONIZE
                   FILE_GENERIC_READ
                   FILE_GENERIC_WRITE
BUILTIN\Administrators:(special access:)
                      READ_CONTROL
                      SYNCHRONIZE
                      FILE_GENERIC_READ
Everyone:R
cacls myfile.txt /e /g mrhope:f

The command above grants the user mrhope full rights (f) to the file myfile.txt. If the ACL for the file is then listed (for instance, using the first command above), the user mrhope appears in the list.