Windows XP / Beginners

---

Setting Permissions from a Command Prompt

Cacls.exe, a command-line utility available in both Windows XP Professional and Home Edition, provides another way to view and edit permissions. With Cacls (short for Control ACLs), you can view existing permissions by typing cacls filename at a command prompt, replacing filename with the name of the file or folder you're interested in (wildcards are acceptable as well). The resulting list of permissions is terse, to say the least. Next to each user account name, Cacls displays a single letter for any of three standard permission settings: F for Full Control, C for Change, and R for Read. Any other combination of settings from the Security tab or the Advanced Security Settings dialog box generates output only a programmer could love.

Cacls is useful for quickly finding the permissions for an object-particularly if you're already working in a command prompt window. As an administrator, especially when working with Windows XP Home Edition, it's an indispensable part of your toolkit.

Tip: Get a more powerful permission tool
If you like Cacls, you'll love Xcacls. As the name suggests, it's an extended version of the basic utility included with Windows 2000 and Windows XP. This utility is included in the Support Tools collection found on the Windows XP CD in \Support\Tools\Support.cab.

You can also set permissions with Cacls. In fact, in Windows XP Home Edition, using this utility is the only way to adjust individual permissions without restarting in Safe Mode. Use the switches listed in Table below to modify the effects of Cacls.

Command-Line Switches for Cacls.exe

Switch	What It Does
/T 	Changes permissions of specified files in the current
	directory and all subdirectories
/E 	Edits access control list instead of replacing it
/C 	Continues on "access denied" errors
/G 	user:perm Grants specified user access rights; if used
        without /E,
	completely replaces existing permissions
/R 	user Revokes specified user's access rights (must be used
        with /E)
/P 	user:perm Replaces specified user's access rights
/D 	user Denies access to specified user

In conjunction with the /G and /P switches, use one of the following four letters where indicated by the perm placeholder:

• F (for full control) is equivalent to selecting the Allow box next to the Full Control entry on the Security tab.
• C (for change) is equivalent to selecting the Allow box for next to the Modify entry.
• R (for read) is equivalent to selecting the Allow box for Read & Execute entry.
• W (for write) is equivalent to selecting the Allow box for Write entry.

Note that wildcards can be used to specify more than one file in a command and that you can specify more than one user in a command. For instance, if you've created a subfolder called Archives in the Shared Documents folder and you want Myle to have Full Control permissions and Jack to have Read permissions in that folder, open a command prompt window, navigate to the Shared Documents folder, and type the following command:

cacls archives /g myle:f jack:r

If you then decide that you want to revoke Jack's access rights and give Read permissions to the Administrators group, type this command:

cacls archives /e /r jack /g administrators:r

Caution Just because you can set permissions with Cacls doesn't mean that you should. It's easy to make a mistake that causes you to lose existing permissions on a file. If you're using Windows XP Professional, there's no reason to use Cacls to set permissions. If you're using Windows XP Home Edition, try the Cacls command on a test folder first and make sure that your settings have the desired effect before you use this command on your actual working files.