XCACLS.exe (NT 4 Resource Kit, Windows XP and 2003)

Display or modify Access Control Lists (ACLs) for files and folders.

For Vista and greater use icacls or SetObjectSecurity.

      XCACLS filename [options]

      XCACLS filename
Key If no options are specified XCACLS will display the ACLs for the file(s) options can be any combination of: /T Traverse all subfolders and change all matching files found.
/E Edit ACL instead of replacing it. /x Edit ACL instead of replacing it; affect only ACEs that this user already owns /R user Revoke all access rights from the given user. /D user Deny specified user access, this will over-ride all other permissions the user has. /C Continue on access denied errors. /Y Replace user's rights without verify /P user:permision[;FolderSpec] Replace user's rights. see /G option below /G user:permision[;FolderSpec] Grant specified user access rights, permision can be: r Read c Change (write) f Full control p Change Permissions (Special access) o Take Ownership (Special access) x EXecute (Special access) e REad (Special access) w Write (Special access) d Delete (Special access) t Used only by FolderSpec. see below

FolderSpec is a permission applied to a folder. If FolderSpec is not specified then permission will apply to both files and folders.
This allows you to set different permissions that will apply (through inheritance) when new files are added to the folder.

FolderSpec = ;T@ where @ is one of the rights above, when this is specified new files will inherit FolderSpec instead of permission. At least one folder access right must follow the T For example ;TF will apply full control (but ;FT is not valid).

If the file/folder is currently open (locked) it may not be possible to change the permissions without first closing the file locks. This can be done in Computer Management ➞ Shared Folders ➞ Open files.

Wildcards can be used to specify more that one file in a command. You can specify more than one user in a command. You can combine access rights.

Although taking ownership is listed as an option it does not work, use SUBINACL for this.

Inheritance Errors

"Permissions incorrectly ordered" - the quickest way to resolve or avoid these errors is to use the newer iCACLS command instead of XCACLS.

Inherited folder permissions are displayed as:

 OI - Object inherit    - This folder and files. (no inheritance to subfolders)
 CI - Container inherit - This folder and subfolders.
 IO - Inherit only      - The ACE does not apply to the current file/directory

These can be combined as follows:
 (OI)(CI)      This folder, subfolders, and files.
 (OI)(CI)(IO)  Subfolders and files only.
     (CI)(IO)  Subfolders only.
 (OI)    (IO)  Files only. 

So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Fullcontrol)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)

When xcacls is applied to the current folder only there is no inheritance and so no output.

By default, an object will inherit permissions from its parent object, either at the time of creation or when it is copied or moved. The only exception to this rule occurs when you move an object to a different folder on the same volume. In this case, the original permissions are retained. In controlled environments this ensures that users cannot change file permissions by just moving items to a different folder. This behaviour can be disabled by setting a system-wide registry key, see Q310316.

NTFS permissions have changed with different versions of Windows and XCACLS has been updated to suit.


Allow guests the right to read and execute in "C:\demo\reports"
XCACLS "C:\demo\reports" /E /G guests:rx

Allow guests the Full Control permission in "C:\demo\reports" and all subfolders
XCACLS "C:\demo\reports" /T /E /G guests:f

Grant guests only read access to all files in and below "C:\demo\reports",
new folders created will be Read Access only, new files will not inherit any rights.
XCACLS "C:\demo\reports" /T /P guests:R;Tr

Grant guests only execute access to all files in and below "C:\demo\reports"
XCACLS "C:\demo\reports" /T /P guests:x

“I spent most of the eighties, most of my life, riding around in somebody else's car, in possession of, or ingested of, something illegal, on my way from something illegal to something illegal with many illegal things happening all around me” - Iggy Pop

Related commands

ATTRIB - Display or change file attributes.
CACLS - Change file and folder permissions (ACLs).
iCACLS - Change file and folder permissions (ACLs).
SUBINACL - Edit file and folder Permissions, Ownership and/or Domain.
DIR /Q - Display the owner for a list of files (try it for Program files).
AccessEnum - SysInternals utility to browse a tree view of user privileges.
NTRIGHTS - Edit user account rights.
PERMS - Show permissions for a user.
SetObjectSecurity - Set security for an object (file, directory, reg key etc).
SUBINACL - Change an ACL's user/domain.
TAKEOWN - Take ownership of files.
How-to: Permissions & Local/Global Workgroups
Permissions explained - Microsoft.com
Access-based Enumeration - Set file listing to only display files you can read.
Q822790 - Xcacls /E - Objects do not inherit permissions as expected.
SetAcl - ACL utility from Helge Klein.
PowerShell: Set-Acl - Set permissions.
Equivalent bash command (Linux): chmod - Change access permissions, chown - Change file owner and group.

Copyright © 1999-2024 SS64.com
Some rights reserved