Cacls

cacls and icacls are Microsoft Windows native command line utility capable of displaying and modifying Access Control List (ACL) on folders and files. An Access Control List is a list of permissions for securable object, such as a file or folder, that controls who can access it.

CACLS

This section requires expansion with: general description, examples and additional citations.

Criticism

This section contains weasel words, vague phrasing that often accompanies biased or unverifiable information. Such statements should be clarified or removed. (September 2009)

The cacls utility is considered^{[by whom?]} an underpowered editor of permissions in Windows 2000 and later, lacking the ability to edit many^[which?] of the specific settings available such as inherited ACEs. Microsoft has responded with newer utilities as

• xcacls.exe,
• xcacls.vbs,
• fileacl and
• icacls (Windows Vista),

all of which offer improvements, but are still considered^{[by whom?]} underpowered and in some^[which?] case, potentially disruptive.^{[citation needed]}

SetACL-project

Others, such as the SetACL team, have produced their own command-line and scriptable permissions editors.

The documentation of a third-party free open-source replacement for cacls hosted on SourceForge, known as SetACL, suggests that cacls was invented for Windows NT 4.0 and is not suitable for use in Windows 2000 or later ^[1]. Specifically, it notes that ACL inheritance was added in Windows 2000, but that neither the cacls utility nor the xcacls utility later released by Microsoft was properly updated to support it. The document expresses the opinion that Microsoft should have removed the utility from Windows 2000 rather than leave it in, only to have unwitting users internally disrupt a volume's security descriptors (by incorrectly ordering ACEs) in a way that's difficult to detect or recover from.^{[cite this quote]}

This project's documentation explains that using the built-in cacls to apply permissions to a tree of folders creates a copy of the ACL for every single file and folder and applies it individually, which was correct under Windows NT 4.0, but which is disruptive in Windows 2000 and later, where the expected behavior is to create a single ACL marked as "inheritable" so future changes propagate automatically.

ICACLS

Windows Server 2003 Service Pack 2, Windows Vista and Windows Server 2008 include icacls, a command-line utility that can display, modify, backup and restore ACLs for files and folders, as well as to set mandatory labels of Windows Integrity Control for them.

However, it is not a complete replacement for cacls. For example, it cannot be used to hand-code a Security Descriptor Definition Language (SDDL) string.^{[clarification needed]}

Examples

See also

• SetACL
• chmod

References

This article includes a list of references, related reading or external links, but its sources remain unclear because it lacks inline citations. Please improve this article by introducing more precise citations where appropriate. (February 2008)

1. ^ SetACL documentation

External links

• Microsoft links
  • Microsoft Windows XP Professional Product Documentation: "Cacls"
  • Microsoft Knowledgebase: "How to use Xcacls.exe to modify NTFS permissions"
  • Microsoft Knowledgebase: "How to use Xcacls.vbs to modify NTFS permissions"
  • Microsoft Technet: "Xcacls Overview"
  • MSDN Library: "DACLs and ACEs"
• SS64.com's description
• Computerhope.com's description
• SetACL documentation on SourceForge.
• Introduction to Windows Integrity Control
• ICACLS - ACLs Command line management: The Lazy Admin blog