CACLS.exe

Display or modify Access Control Lists (ACLs) for files and folders.

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.

Syntax
      CACLS pathname [options]

Key
   options can be any combination of:

   /T Search the pathname including all subfolders. 
   /E Edit ACL (leave existing rights unchanged)
   /C Continue on access denied errors. 

   /G user:permission
      Grant access rights, permision can be: 
         R Read 
         W Write
         C Change (read/write) 
         F Full control 

   /R user
      Revoke specified user's access rights (only valid with /E). 

   /P user:permission   
      Replace access rights, permission can be: 
         N None
         R Read
         W Write
         C Change (read/write) 
         F Full control 

   /D user
      Deny access to user. 

   In all the options above "user" can be a UserName 
   or a Workgroup (either local or global)

   If a UserName or WGname includes spaces then it must 
   be surrounded with quotes e.g. "Authenticated Users"

   If no options are specified CACLS will display the ACLs for the file(s)

Other features to try

Wildcards can be used to specify multiple files.
You can specify more than one user:permission in a single command.
The /D option will deny access to a user even if they belong to a group that does have access.

Using CACLS

• The CACLS command does not provide a /Y switch to automatically answer 'Y' to the Y/N prompt. However, you can pipe the 'Y' character into the CACLS command using ECHO, use the following syntax:
  
  ECHO Y| CACLS /g <username>:<permission>
  
• To edit a file you must have the "Change" ACL (or be the file's owner)
  
• To use the CACLS command and change an ACL requires "FULL Control"
  
• File "Ownership" will always override all ACL's - you always have Full Control over files that you create.
  
• If CACLS is used without the /E switch all existing rights on [pathname] will be replaced, any attempt to use the /E switch to change a [user:permission] that already exists will raise an error. To be sure the CALCS command will work without errors use /E /R to remove ACL rights for the user concerned, then use /E to add the desired rights.
  
• The /T option will only traverse subfolders below the current directory.
  
• Windows NT 4.0 does not support the Grant Write option (CACLS <Folder> /G <UserName>:W) grant the Change permission instead.

If no options are specified CACLS will display the current ACLs
e.g. To display the current folder
CACLS .
Display permissions for one file
CACLS MyFile.txt
Display permissions for multiple files
CACLS *.txt

Inherited folder permissions are displayed as follows:

  OI	        This folder and files. (nO Inheritance to subfolders)
      CI	    This folder and subfolders. (Cascade Inherititance)
          IO	Inherit Only (Do not apply this ACE to the current folder)
 No output     This folder only.
 (IO)(CI)	    This folder, subfolders, and files.
 (OI)(CI)(IO)	Subfolders and files only.
     (CI)(IO)  Subfolders only.
 (OI)    (IO)	Files only. 

Examples:

Adding new file permissions to a group of users
CACLS myfile.txt /E /G "Power Users":F

If we now grant Read permissions to the same group they will still have FULL control
CACLS myfile.txt /E /G "Power Users":R

This command will replace the first ACL granted and allow only Read access:
CACLS myfile.txt /E /P "Power Users":R

"Whether a pretty woman grants or withholds her favours, she always likes to be asked for them" - Ovid (Ars Amatoria)

Related Commands:

ATTRIB - Display or change file attributes
PERMS - Show permissions for a user
FIXACLS - Restore default privs (Resource Kit supplement 2)
FSUTIL - File System Options
SHOWACL - Show file Access Control Lists (Windows 2000)
TAKEOWN - Take ownership of shares
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders

Q237701 - Cacls cannot apply security to root
Q834721 - Permissions on Folder are incorrectly ordered
Q135268 - Permissions on Folder are incorrectly
Q245031 - Error when using the | pipe symbol
NT Permissions explained

Still need more - see SuperCACLS

Equivalent Linux BASH commands:

chmod - Change access permissions
chown - Change file owner and group