Manage user access rights from command line

If you are an administrator, you might want to change user permissions like read, read-write or full permission on a file or folder. You can manage user access rights through command line in Windows XP. The command line is cacls :

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]][/P user:perm [...]] [/D user [...]]filename      Displays ACLs./T            Changes ACLs of specified files inthe current directory and all subdirectories./E            Edit ACL instead of replacing it./C            Continue on access denied errors./G user:perm  Grant specified user access rights.Perm can be: R  ReadW  WriteC  Change (write)F  Full control/R user       Revoke specified user's access rights (only valid with /E)./P user:perm  Replace specified user's access rights.Perm can be: N  NoneR  ReadW  WriteC  Change (write)F  Full control/D user       Deny specified user access.Wildcards can be used to specify more that one file in a command.You can specify more than one user in a command.

Granting access to a user

Suppose you want to give full access to a user trisha of a folder C:Wamp, then give the following command :

cacls /E /G trisha:F C:Wamp

If you want to give access to all the subfolders too, then append the switch /T as shown :

cacls /E /T /G trisha:F C:Wamp

If you want to give only Read, Write or Change access then modify the command line by changing F in trisha:F with R, W or C respectively. A full access includes all these access and ability to delete the files or folders. This should be used if a user does not have any access rights on a file or folder previously. If you do not specify the /E switch then the previous rights are wiped (of all users) and new rights are created, so keep in mind to use the /E switch.

Denying a user’s access

If you want to deny a user trisha‘s access to a particular file or folder (say C:Wamp) then give the following command :

cacls /E /D trisha C:Wamp

This would deny all kinds of access to that user for that folder or file.

Revoking a user’s access

If you want to revoke a user trisha‘s access to a particular file or folder (say C:Wamp) then give the following command :

cacls /E /R trisha /E C:Wamp

This would revoke all the access rights given previously to that user for that folder or file. The difference between revoking and denying is that revoking clears all rights (including deny to access) while denying sets the access rights so that all access to that folder or file is denied.

Modifying access rights

If a user already have some sorts of access rights on a file and folder then you can use the /P switch to modify the rights. The rest of the command works exactly as using the /G switch.

You can use the group names in place of a user name like Administrators, Users, Authenticated Users, System and Everyone etc. If you use Administrators then it affects the rights of all the Administrators of the system. Similarly, Users affects all the non-administrator users. The group name Everyone affects everyone (all kinds of users including administrators and guest account). The group name System makes changes to the access right of Windows.

If a username contains space, then enclose it in inverted commas like this : “Authenticated Users”.

Only an administrator who has ownership of a file or folder can use this command to modify the access rights. In case, you do not have ownership of a folder or file then you might get an Access Denied error when issuing a command. You can append the /C switch to keep continuing when such errors are encountered, especially when working a folder and all subfolders.