CACLS.exe

Display or modify Access Control Lists (ACLs) for files and folders.

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.

syntax
      CACLS pathname [options] 

      CACLS pathname 

key
   options can be any combination of:

   /T Search the pathname including all subfolders. 
   /E Edit ACL (leave existing rights unchanged)
   /C Continue on access denied errors. 

   /G user:permission
      Grant access rights, permision can be: 
         R Read 
         C Change (write) 
         F Full control 

   /R user
      Revoke specified user's access rights (only valid with /E). 

   /P user:permission   
      Replace access rights, permission can be: 
         N None 
         R Read 
         C Change (write) 
         F Full control 

   /D user Deny specified user access. 

   In all the options above "user" can be an NT Username 
   or an NT Workgroup (either local or global)

   If a username or groupname includes spaces then
   it must be surrounded with quotes e.g. "Authenticated Users"

   If no options are specified CACLS will display the ACLs for the file(s)

Other features to try

Wildcards can be used to specify multiple files.
You can specify more than one user:permission in a single command.
The /D option will deny access to a user even if they belong to a group that does have access.

Using CACLS

• The CACLS command does not provide a /Y switch to automatically answer 'Y' to the Y/N prompt. However, you can pipe the 'Y' character into the CACLS command using ECHO, use the following syntax:
  
  ECHO Y| CACLS /g <username>:<permission>
  
  
• To edit a file you must have the "Change" ACL (or be the file's owner)
  
  
• To use the CACLS command and change an ACL requires "FULL Control"
  
  
• File "Ownership" will always override all ACL's - you always have Full Control over files that you create.
  
  
• If CACLS is used without the /E switch all existing rights on [pathname] will be replaced, any attempt to use the /E switch to change a [user:permission] that already exists will raise an error. To be sure the CALCS command will work without errors use /E /R to remove ACL rights for the user concerned, then use /E to add the desired rights.
  
  
• The /T option will only traverse subfolders below the current directory.
  

Examples:

Adding new file permissions to a group of users
CACLS myfile.txt /E /G "Power Users":F

If we now grant Read permissions to the same group they will still have FULL control
CACLS myfile.txt /E /G "Power Users":R

This command will replace the first ACL granted and allow only Read access:
CACLS myfile.txt /E /P "Power Users":R

"Whether a pretty woman grants or withholds her favours, she always likes to be asked for them" - Ovid (Ars Amatoria)

Related Commands:

ATTRIB - Display or change file attributes
PERMS - Show permissions for a user
FIXACLS - Restore default privs (Resource Kit supplement 2)
FSUTIL - File System Options
SHOWACL - Show file Access Control Lists (Windows 2000)
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders

Q237701 - Cacls cannot apply security to root
Q268546 - Permissions on Folder are incorrectly ordered
Q245031 - Change registry permissions with REGINI
NT Permissions explained

Still need more - see SuperCACLS

Equivalent Linux BASH commands:

chmod - Change access permissions
chown - Change file owner and group