Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


cacls batch script needs to run for each file in the folder to change permissions

Posted on 2004-09-23
Medium Priority
Last Modified: 2008-02-01
How can I write a script batch program to read all the file names in a directory and change the permissions using the CACLS command?

thanks in advance,

Question by:dprice7
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 67

Expert Comment

ID: 12133888
Just use the parent folder name instead:

CACLS C:\MyFolder /T /G Everyone:F
LVL 67

Accepted Solution

sirbounty earned 375 total points
ID: 12133910
You might also try it the slower way:

for %a in (*.*) do cacls %a /T /G Everyone:F

Author Comment

ID: 12156565

I need to make sure administrator is the owner of all files within this folder before I execute this command for each file

otherwise the permissions don't seem to change.

Can it be done within your loop?

thanks again,

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 67

Expert Comment

ID: 12163468
Can you provide a little more detail on your situation and what you're trying to accomplish?

Author Comment

ID: 12165602
Please allow me to elaborate a little..

The specific circumstance is I have a folder that is used to store completed documents in for all to read but none to change. First of all the user who creates these documents needs a way to transfer them into this folder.

Once that occurs I need to remove the change permissions from that user and anyone else who was carried over from the originating folder.

Hence the reason for this loop.
cd Quality
for %a in (*.*) do cacls %a /T /G "X\Domain Admins":F "X\Domain Users":R "X\QualityDocCtrl-Admin":R<yes.txt

I also tried to get around the issue of ownership by changin the owner on the top folder manusally and checking the box that says to do the same for subfolders.

This loop does not work in a batch program it errors out saying a problem with a.

suggestions for doing the loop and changing the owner are appreciated,

Does it make more sense now?



Author Comment

ID: 12207643
sir bounty,

Does your not responding mean you give up or are just busy right now?


LVL 67

Expert Comment

ID: 12209926
Sorry Don - been out of pocket for a while.
Sounds like by your last post, it still isn't resolved?  No need to accept until it is...
Let me see if I can assist further, just in case...

So, UserA creates a document and then needs to copy it into a folder that only users should have Read access to?

I don't think it's necessary to go about it this way.  Let's try this:

Preliminary steps:
a) Set QualityDocCtrl's share permissions to be Everyone/Full Control
b) Set QualityDocCtrl' Security/NTFS permissions to be Domain Users/Read (you will also probably have to set up special permissions (advanced) to allow 'change permissions' permission.

Now, in the process as you'd outlined above, if I understand correctly, this is what needs to occur:
a) UserA creates a QualityDoc
b) UserA should now run the script that resets the permissions to Domain Users\Write access
c) UserA should "Copy" the file to QualityDocCtrl
d) UserA should now run a script that resets the permissions back to Domain Users\Read Only
e) UserA deletes the original file

See, the way NTFS works is if you 'move' a file (which is essentially a copy/delete) - the permissions that were originally on the file when it was in the 'working' folder remain.
Thus, if UserA creates a document in FolderA (obviously he has write access to this folder), and he then moves it to FolderB - the file basically ignores any permission settings on FolderB and retains the original permissions.  The reasoning is the file itself isn't really 'moved'.  The only change that really occurs is NTFS's 'pointer' updates the location in its table where the file is now stored.

However, if UserA takes that same file from FolderA and Copies it to FolderB - well now, it inherits the permissions of FolderB, since it's a 'new' file that 'lives' in that folder.  Then, UserA just needs to delete the file from the original location (presumably, this isn't a problem in your situation).  I assume that it's been set up for a move to occur?

Anyway, hope this helps.  

I may check my email in the morning, but just so you're aware - I'm out of town until Wednesday late evening, so if you post again after tomorrow morning, it may be a while before I can respond.  Good luck!

Author Comment

ID: 12212957

thanks for not giving up on me. :)

I tried to have the owner manually copy different documents into the FolderB from various locations and each one kept their original permissions and owner.

That is why I wanted to let them copy everything to one location regardless of where it came from and then just change anything new in the directory to read only permissions for everyone or in this case change the existing permission on QualityDocCtrl_Admin to R(read) from C(change) .

Since it all needs to end up read only I thought of using the batch cacls to accomplish it.

But the other stumbling block seemed to be it wanted Admin to own the docs before the changes would work in the cacls command.

LVL 67

Expert Comment

ID: 12223255
More specifically Don, I believe it's requiring the 'change permissions' right that I mentioned before.

Can you provide a little more information on this/these NTFS volumes/partitions?
Is this move/copy occuring 'across' NTFS volumes or within the same volume?  That would make a difference, and I may have misguided you with the statement above, re-reading it.
A copy results in a 'new' file being created and it should inherit the destination permissions.
A move is dependent upon the partition condition: if it's on the same partition, the file retains its original permission, but if it's across partitions, it inherits the destination permissions.

Here's a link referencing NTFS special perms:
And another referencing move/copy permissions on NTFS:
Of course, a move or copy to FAT loses all permissions.

I have been meaning to test what you're trying to accomplish, but since I'm out of town, I'm unable to until I return to the office.  I hope that you find this information useful though.

Author Comment

ID: 12273297
The volume or partition would be the same in this case.

However, I would prefer not to place that restriction on the process.

We have certain people who author documents but once they are reviewed for correctness they need placed somewhere

for all the see but none to change and I don't want to do it manually only through a script that runs and checks the repository for files and automatically moves them to their new readable directory for all to see.
The original owners and permissions should no longer exist once they enter the new directory the owner should now be the administrator and everyone should be able to read the document.
LVL 67

Expert Comment

ID: 12285237
Don, the only other method that I can see to get this working is to have the administrator run the cacls script remotely.
In other words, you'll have to open the share for write permissions every time someone wants to copy a file there (scriptA) and then run another script after it's copied (scriptB)

@cacls \\server\share\folder /g everyone:W

@cacls \\server\share\folder /d everyone:W

It might be a pain to do so, but without getting into Advanced permissions, I see no other way...

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question