Category Archives: xcacls syntax

XCACLS Command line syntax

Xcacls.exe syntax

xcaclsfile name [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec […]] [/D user […]] [/Y]
wherefile name indicates the name of the file or folder to which the ACL or access control entry (ACE) is typically applied. All standard wildcard characters can be used.

/T recursively walks through the current folder and all of its subfolders, applying the chosen access rights to the matching files or folders.

/E edits the ACL instead of replacing it. For example, only the administrator will have access to the Test.dat file if you run the XCACLS test.dat /G Administrator:F command. All ACEs applied earlier are lost.

/C causes Xcacls.exe to continue if an “access denied” error message occurs. If /C is not specified, Xcacls.exe stops on this error.

/G user:perm;spec grants a user access to the matching file or folder.
·      Theperm (permission) variable applies the specified access right to files and represents the special file-access-right mask for folders. The permvariable accepts the following values:
o      R Read
o      C Change (write)
o      F Full Control
o      P Change Permissions (special access)
o      O Take Ownership (special access)
o      X EXecute (special access)
o      E REad (Special access)
o      W Write (Special access)
o      D Delete (Special access)
·      Thespec (special access) variable applies only to folders and accepts the same values as perm, with the addition of the following special value:
o      T Not Specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right has to follow. Entries between a semicolon (;) and T are ignored.

§      The access options for files (for folders, special file and folder access) are identical. For detailed explanations of these options, see the Windows 2000 operating system documentation.
§      All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Because of this, there are no special options for folder access rights, such as LIST or READ.

/R user revokes all access rights for the specified user.

/P user:perm;spec replaces access rights for user. The rules for specifying perm and spec are the same as for the /G option. See the “Xcacls.exe examples” section.

/D user denies user access to the file or directory.

/Y disables confirmation when replacing user access rights. By default, CACLS asks for confirmation. Because of this feature, when CACLS is used in a batch routine, the routine stops responding until the right answer is entered. The /Y option was introduced to avoid this confirmation, so that Xcacls.exe can be used in batch mode.