Cacls
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Cacls".

content
This article or section includes a list of references or external links, but its sources remain unclear because it lacks inline citations.
You can improve this article by introducing more precise citations where appropriate. (February 2008)

cacls (Change Access Control Lists) is a command line utility for Microsoft Windows to change Access Control List (ACL) permissions on a directory, its subcontents, or files. An access control list is a list of permissions for securable object, such as a file or directory, that controls who can access it.

Contents

Criticism

The cacls utility is considered an underpowered editor of permissions in Windows 2000 and later, lacking the ability to edit many of the specific settings available such as inherited ACEs. Microsoft has responded with newer utilities as xcacls.exe, xcacls.vbs, fileacl and icacls (Windows Vista), all of which offer improvements, but are still considered underpowered and in some case, potentially disruptive.citation needed Others, such as the SetACL team, have produced their own command-line and scriptable permissions editors.

The documentation of a third-party free open-source replacement for cacls hosted on SourceForge, known as SetACL, suggests that cacls was invented for Windows NT 4.0 and is not suitable for use in Windows 2000 or later 1. Specifically, it notes that ACL inheritance was added in Windows 2000, but that neither the cacls utility nor the xcacls utility later released by Microsoft was properly updated to support it. The document expresses the opinion that Microsoft should have removed the utility from Windows 2000 rather than leave it in, only to have unwitting users internally disrupt a volume's security descriptors (by incorrectly ordering ACEs) in a way that's difficult to detect or recover from.

This project's documentation explains that using the built-in cacls to apply permissions to a tree of folders creates a copy of the ACL for every single file and folder and applies it individually, which was correct under Windows NT 4.0, but which is disruptive in Windows 2000 and later, where the expected behavior is to create a single ACL marked as "inheritable" so future changes propagate automatically.

ICACLS

Windows Server 2003 Service Pack 2, Windows Vista and Windows Server 2008 include icacls, an updated partial replacement for cacls. icacls is designed to not only display and modify ACLs, but also to backup and restore discretionary ACLs for files and directories. However, it is not a complete replacement of cacls, for example, it cannot be used to hand-code a Security Descriptor Definition Language (SDDL) string.

The 'icacls' command line utility is also able to show and set mandatory labels of an object for interaction with Windows Integrity Control (WIC) which is most noticeable in the Internet Explorer Protected Mode, which automatically sets Low integrity to Internet objects to protect the operating system from malicious web content in the browser.

Examples

icacls c:\windows\* /save AclFile /T

- Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.

icacls c:\windows\ /restore AclFile

- Will restore the Acls for every file within AclFile that exists in c:\windows and its subdirectories

icacls file /grant Administrator:(D,WDAC)

- Will grant the user Administrator Delete and Write DAC permissions to file

icacls file /grant *S-1-1-0:(D,WDAC)

- Will grant the user (or security group) defined by sid S-1-1-0 Delete and Write DAC permissions to file

icacls c:\windows\explorer.exe

- View the discretionary access list and integrity level

icacls file /setintegritylevel H

- Modify mandatory integrity level of an object to High

See also

References

  1. ^ SetACL documentation

External links

v  d  e
Windows command line programs and builtins (more)
File system
(basic)
attrib · cd · chdir · copy · del · deltree · dir · erase · fdisk · format · makecab · md · mkdir · mklink · mountvol · move · ntbackup · rd · rename · ren · rmdir · robocopy · sfc · sys · type · xcopy
File system
(advanced)
assoc · cacls · chkdsk · chkntfs · comp · compact · convert · defrag · diskcomp · diskcopy · fc · fixboot · fixmbr · ftype · icacls · label · recover · reg · regsvr32 · replace · subst · tree · verify · vol · vssadmin
Processes
at · exit · kill · schtasks · start · shutdown · taskkill · tasklist · tlist
User environment
append · chcp · color · date · finger · graftabl · mode · path · popd · pushd · runas · set · setx · time · title · ver · whoami
Text processing
 · edlin · more · sort
Shell programming
break · call · cmd · command · cscript · doskey · echo · endlocal · for · goto · if · pause · powershell · prompt · rem · setlocal · shift · forfiles · choice
Networking
arp · ftp · getmac · hostname · ipconfig · net · netsh · netstat · nslookup · pathping · ping · telnet · tftp · tracert
Searching
Miscellaneous
bcdedit · bootcfg · cls · help · print · debug · exe2bin · wmic
© jGames.co.uk 2007 (some content from Wikipedia under GDL ) !-- ValueClick Media 468x60 and 728x90 Banner CODE for jgames.co.uk -->
Your Ad Here