SYNOPSIS
chacl
[
chacl
[
DESCRIPTION
The chacl command changes Access Control Entries (ACEs) in the Access Control List (ACLs) on files or directories, and various other 10/2016/2019/11/2022/2025 objects. user-list and ace-list are comma delimited lists that specify the attribute to be changed by chacl.
The syntax for each ACE is:
user:permissions[:inheritance]
An ace-list is a set of these items, delimited by commas. The user portion of an ACE can be either a user name or a SID (security identifier) number. For example
chacl -g S-1-5-5-0-12345:f file1
If user consists of S-1- followed by a set of
numbers separated by dashes, chacl treats it as a SID;
otherwise, it is treated as a user name.
For example, chacl considers S-1-5-5-0x
a user name because the x does not fit the format of a SID.
Each permission, or inheritance is a set of the abbreviations described in
the explanation of the
Options
-d ace-list-
denies permissions for all entries on the ace-list.
-D -
deletes all ACEs before starting. This option leaves the objects unprotected, with no rights, and access allowed for all users, unless further options change the the ACE from NULL.
-f -
does not issue warning messages when errors are encountered.
-g ace-list-
grants permissions for all entries specified in ace-list.
-i -
adds the inherited ACEs from the parent to the ACL when these ACEs are not already present.
- Note:
-
This option is only vaild on Windows 2000 and later operating systems.
-n -
sets the ACL on the objects to NULL. This options leaves the object unprotected, with rights, and access allowed for all users. The
-n option is mutually exclusive with all the other chacl ACE options (-D ,-d ,-g , and-x ). -R -
operates recursively through subdirectories. This option currently works only with the
-t f option. -t [fklprsw] -
specifies the type. chacl accepts the following types:
f file k kernel object l lmshare p printer r registry key s service w windowstation/desktop object
-u -
disables parental inheritance for ACEs. This only applies to those ACEs that inherit from the parent and those ACEs are not removed from the ACL. You must specify this option when one of these ACEs is to be changed or removed.
- Note:
-
This option is only vaild on Windows 2000 and later operating systems.
-x user-list-
deletes any ACE entries for the users given.
Permissions
Valid ACE permissions with chacl are:
r FILE_READ_DATAw FILE_WRITE_DATAx FILE_EXECUTEa FILE_APPEND_DATAdc FILE_DELETE_CHILDre FILE_READ_ATTRIBUTESwe FILE_WRITE_ATTRIBUTESra FILE_READ_EAwa FILE_WRITE_EAd DELETErc READ_CONTROLwd WRITE_DACwo WRITE_OWNERo WRITE_OWNERs SYNCHRONIZEf FILE_ALL_ACCESS
Valid inheritance permissions are:
cia CONTAINER_INHERIT_ACEioa INHERIT_ONLY_ACEoia OBJECT_INHERIT_ACEnpia NO_PROPAGATE_INHERIT_ACEscoi SUB_CONTAINERS_ONLY_INHERITsooi SUB_OBJECTS_ONLY_INHERITscai SUB_CONTAINERS_AND_OBJECTS_INHERITfaaf FAILED_ACCESS_ACE_FLAGsaaf SUCCESSFUL_ACCESS_ACE_FLAG
For a full description of the meanings of these various inheritance and permissions bits, see your 10/2016/2019/11/2022/2025 documentation.
Each permission must be separated by a space on the command line. Permissions may also be specified as a number that explicitly defines the entire bitmap for that permission (for example, 0x4000).
Registry Key Names
The registry key names that you can specify with the
Registry Name chacl Name HKEY_CLASSES_ROOT CLASSES_ROOT HKEY_CURRENT_USER CURRENT_USER HKEY_USERS USERS HKEY_LOCAL_MACHINE MACHINE HKEY_CURRENT_CONFIG CONFIG
EXAMPLES
The command
chacl -x alex -g 'system:r w x,terry:f' -d robin:f file2
deletes any ACE for alex, adds an allow-ACE for system with read/write/execute permissions, adds an allow-ACE for terry with full access, and adds a deny-ACE for robin with full denial.
The command
chacl -g 'terry:f:cia oia' file3
adds an allow-ACE for terry with full access, and sets the CONTAINER-INHERIT-ACE and OBJECT-INHERIT-ACE bits.
The command
chacl -t r -D -g alex:f 'CLASSES_ROOT\.xyz'
grants full permissions to the registry key
HKEY_CLASSES_ROOT\.xyz for alex.
Since the
DIAGNOSTICS
Possible exit status values are:
PORTABILITY
Windows 10. Windows Server 2016. Windows Server 2019. Windows 11. Windows Server 2022. Windows Server 2025.
AVAILABILITY
PTC MKS Toolkit for Power Users
PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Professional Developers 64-Bit Edition
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition
SEE ALSO
PTC MKS Toolkit 10.5 Documentation Build 40.