chacl

change the access control list on 8.1/2012R2/10/2016/2019/11/2022 objects 

Command

SYNOPSIS

chacl [-t [fsprlkw]] [-DfiRu] [-d ace-list] [-g ace-list] [-x user-list] object...

chacl [-DfR] [-t [fsprlkw]] -n object...

DESCRIPTION

The chacl command changes Access Control Entries (ACEs) in the Access Control List (ACLs) on files or directories, and various other 8.1/2012R2/10/2016/2019/11/2022 objects. user-list and ace-list are comma delimited lists that specify the attribute to be changed by chacl.

The syntax for each ACE is: 

user:permissions[:inheritance]

An ace-list is a set of these items, delimited by commas. The user portion of an ACE can be either a user name or a SID (security identifier) number. For example 

chacl -g S-1-5-5-0-12345:f file1

If user consists of S-1- followed by a set of numbers separated by dashes, chacl treats it as a SID; otherwise, it is treated as a user name. For example, chacl considers S-1-5-5-0x a user name because the x does not fit the format of a SID. Each permission, or inheritance is a set of the abbreviations described in the explanation of the -t option, delimited by spaces.

Options

-d ace-list 

denies permissions for all entries on the ace-list.

-D 

deletes all ACEs before starting. This option leaves the objects unprotected, with no rights, and access allowed for all users, unless further options change the the ACE from NULL.

-f 

does not issue warning messages when errors are encountered.

-g ace-list 

grants permissions for all entries specified in ace-list.

-i 

adds the inherited ACEs from the parent to the ACL when these ACEs are not already present.

Note:

This option is only vaild on Windows 2000 and later operating systems.

-n 

sets the ACL on the objects to NULL. This options leaves the object unprotected, with rights, and access allowed for all users. The -n option is mutually exclusive with all the other chacl ACE options (-D, -d, -g, and -x).

-R 

operates recursively through subdirectories. This option currently works only with the -t f option.

-t [fklprsw] 

specifies the type. chacl accepts the following types: 

f       file
k       kernel object
l       lmshare
p       printer
r       registry key
s       service
w       windowstation/desktop object
-u 

disables parental inheritance for ACEs. This only applies to those ACEs that inherit from the parent and those ACEs are not removed from the ACL. You must specify this option when one of these ACEs is to be changed or removed.

Note:

This option is only vaild on Windows 2000 and later operating systems.

-x user-list 

deletes any ACE entries for the users given.

Permissions

Valid ACE permissions with chacl are: 

r	FILE_READ_DATA
w	FILE_WRITE_DATA
x	FILE_EXECUTE
a	FILE_APPEND_DATA
dc	FILE_DELETE_CHILD
re	FILE_READ_ATTRIBUTES
we	FILE_WRITE_ATTRIBUTES
ra	FILE_READ_EA
wa	FILE_WRITE_EA
d	DELETE
rc	READ_CONTROL
wd	WRITE_DAC
wo	WRITE_OWNER
o	WRITE_OWNER
s	SYNCHRONIZE
f	FILE_ALL_ACCESS

Valid inheritance permissions are: 

cia	CONTAINER_INHERIT_ACE
ioa	INHERIT_ONLY_ACE
oia	OBJECT_INHERIT_ACE
npia	NO_PROPAGATE_INHERIT_ACE
scoi	SUB_CONTAINERS_ONLY_INHERIT
sooi	SUB_OBJECTS_ONLY_INHERIT
scai	SUB_CONTAINERS_AND_OBJECTS_INHERIT
faaf	FAILED_ACCESS_ACE_FLAG
saaf	SUCCESSFUL_ACCESS_ACE_FLAG

For a full description of the meanings of these various inheritance and permissions bits, see your 8.1/2012R2/10/2016/2019/11/2022 documentation.

Each permission must be separated by a space on the command line. Permissions may also be specified as a number that explicitly defines the entire bitmap for that permission (for example, 0x4000).

Registry Key Names

The registry key names that you can specify with the -t r option differ from those used by the registry command and by regedt32: 

Registry Name		chacl Name
HKEY_CLASSES_ROOT		CLASSES_ROOT
HKEY_CURRENT_USER		CURRENT_USER
HKEY_USERS		USERS
HKEY_LOCAL_MACHINE	MACHINE
HKEY_CURRENT_CONFIG	CONFIG

EXAMPLES

The command 

chacl -x alex -g 'system:r w x,terry:f' -d robin:f file2

deletes any ACE for alex, adds an allow-ACE for system with read/write/execute permissions, adds an allow-ACE for terry with full access, and adds a deny-ACE for robin with full denial.

The command 

chacl -g 'terry:f:cia oia' file3

adds an allow-ACE for terry with full access, and sets the CONTAINER-INHERIT-ACE and OBJECT-INHERIT-ACE bits.

The command 

chacl -t r -D -g alex:f 'CLASSES_ROOT\.xyz'

grants full permissions to the registry key HKEY_CLASSES_ROOT\.xyz for alex. Since the -D option was given as well, the ACL contains exactly one ACE, the one given on this command.

DIAGNOSTICS

Possible exit status values are:

0 

Successful completion.

>0 

An error occurred.

PORTABILITY

Windows 8.1. Windows Server 2012 R2. Windows 10. Windows Server 2016. Windows Server 2019. Windows 11. Windows Server 2022.

AVAILABILITY

PTC MKS Toolkit for Power Users
PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Professional Developers 64-Bit Edition
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition

SEE ALSO

Commands:
lsacl, registry

PTC MKS Toolkit 10.4 Documentation Build 39.