cacls batch script needs to run for each file in the folder to change permissions

Posted on 2004-09-23
Last Modified: 2008-02-01
How can I write a script batch program to read all the file names in a directory and change the permissions using the CACLS command?

thanks in advance,

Question by:dprice7
  • 6
  • 5
LVL 67

Expert Comment

ID: 12133888
Just use the parent folder name instead:

CACLS C:\MyFolder /T /G Everyone:F
LVL 67

Accepted Solution

sirbounty earned 125 total points
ID: 12133910
You might also try it the slower way:

for %a in (*.*) do cacls %a /T /G Everyone:F

Author Comment

ID: 12156565

I need to make sure administrator is the owner of all files within this folder before I execute this command for each file

otherwise the permissions don't seem to change.

Can it be done within your loop?

thanks again,

LVL 67

Expert Comment

ID: 12163468
Can you provide a little more detail on your situation and what you're trying to accomplish?

Author Comment

ID: 12165602
Please allow me to elaborate a little..

The specific circumstance is I have a folder that is used to store completed documents in for all to read but none to change. First of all the user who creates these documents needs a way to transfer them into this folder.

Once that occurs I need to remove the change permissions from that user and anyone else who was carried over from the originating folder.

Hence the reason for this loop.
cd Quality
for %a in (*.*) do cacls %a /T /G "X\Domain Admins":F "X\Domain Users":R "X\QualityDocCtrl-Admin":R<yes.txt

I also tried to get around the issue of ownership by changin the owner on the top folder manusally and checking the box that says to do the same for subfolders.

This loop does not work in a batch program it errors out saying a problem with a.

suggestions for doing the loop and changing the owner are appreciated,

Does it make more sense now?


Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 12207643
sir bounty,

Does your not responding mean you give up or are just busy right now?


LVL 67

Expert Comment

ID: 12209926
Sorry Don - been out of pocket for a while.
Sounds like by your last post, it still isn't resolved?  No need to accept until it is...
Let me see if I can assist further, just in case...

So, UserA creates a document and then needs to copy it into a folder that only users should have Read access to?

I don't think it's necessary to go about it this way.  Let's try this:

Preliminary steps:
a) Set QualityDocCtrl's share permissions to be Everyone/Full Control
b) Set QualityDocCtrl' Security/NTFS permissions to be Domain Users/Read (you will also probably have to set up special permissions (advanced) to allow 'change permissions' permission.

Now, in the process as you'd outlined above, if I understand correctly, this is what needs to occur:
a) UserA creates a QualityDoc
b) UserA should now run the script that resets the permissions to Domain Users\Write access
c) UserA should "Copy" the file to QualityDocCtrl
d) UserA should now run a script that resets the permissions back to Domain Users\Read Only
e) UserA deletes the original file

See, the way NTFS works is if you 'move' a file (which is essentially a copy/delete) - the permissions that were originally on the file when it was in the 'working' folder remain.
Thus, if UserA creates a document in FolderA (obviously he has write access to this folder), and he then moves it to FolderB - the file basically ignores any permission settings on FolderB and retains the original permissions.  The reasoning is the file itself isn't really 'moved'.  The only change that really occurs is NTFS's 'pointer' updates the location in its table where the file is now stored.

However, if UserA takes that same file from FolderA and Copies it to FolderB - well now, it inherits the permissions of FolderB, since it's a 'new' file that 'lives' in that folder.  Then, UserA just needs to delete the file from the original location (presumably, this isn't a problem in your situation).  I assume that it's been set up for a move to occur?

Anyway, hope this helps.  

I may check my email in the morning, but just so you're aware - I'm out of town until Wednesday late evening, so if you post again after tomorrow morning, it may be a while before I can respond.  Good luck!

Author Comment

ID: 12212957

thanks for not giving up on me. :)

I tried to have the owner manually copy different documents into the FolderB from various locations and each one kept their original permissions and owner.

That is why I wanted to let them copy everything to one location regardless of where it came from and then just change anything new in the directory to read only permissions for everyone or in this case change the existing permission on QualityDocCtrl_Admin to R(read) from C(change) .

Since it all needs to end up read only I thought of using the batch cacls to accomplish it.

But the other stumbling block seemed to be it wanted Admin to own the docs before the changes would work in the cacls command.

LVL 67

Expert Comment

ID: 12223255
More specifically Don, I believe it's requiring the 'change permissions' right that I mentioned before.

Can you provide a little more information on this/these NTFS volumes/partitions?
Is this move/copy occuring 'across' NTFS volumes or within the same volume?  That would make a difference, and I may have misguided you with the statement above, re-reading it.
A copy results in a 'new' file being created and it should inherit the destination permissions.
A move is dependent upon the partition condition: if it's on the same partition, the file retains its original permission, but if it's across partitions, it inherits the destination permissions.

Here's a link referencing NTFS special perms:
And another referencing move/copy permissions on NTFS:
Of course, a move or copy to FAT loses all permissions.

I have been meaning to test what you're trying to accomplish, but since I'm out of town, I'm unable to until I return to the office.  I hope that you find this information useful though.

Author Comment

ID: 12273297
The volume or partition would be the same in this case.

However, I would prefer not to place that restriction on the process.

We have certain people who author documents but once they are reviewed for correctness they need placed somewhere

for all the see but none to change and I don't want to do it manually only through a script that runs and checks the repository for files and automatically moves them to their new readable directory for all to see.
The original owners and permissions should no longer exist once they enter the new directory the owner should now be the administrator and everyone should be able to read the document.
LVL 67

Expert Comment

ID: 12285237
Don, the only other method that I can see to get this working is to have the administrator run the cacls script remotely.
In other words, you'll have to open the share for write permissions every time someone wants to copy a file there (scriptA) and then run another script after it's copied (scriptB)

@cacls \\server\share\folder /g everyone:W

@cacls \\server\share\folder /d everyone:W

It might be a pain to do so, but without getting into Advanced permissions, I see no other way...

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now