Skip navigation

JSI Tip 0425 - When I query the ACL of an object with CACLS, what does the (OI), (IO), (CI), and (NP) mean?

CACLS is an command for querying and change the permissions of directories and files.

If you use CACLS to query the ACLs (Access Control Lists) of a directory, it displays the permissions of the directory. If you use a wild card, it displays the permissions of the included directories and files.

CACLS displays directory permissions for each user or group as two entries. The first entry lists the file (inherited) permissions and the second lists the directory permissions. The letters in parentheses represent the inheritance flags:

File Permissions:


    This ACE (Access Control Entry) is inherited by noncontainer objects, such as files created
    within the container object to which the ACE is assigned.


    This ACE does not apply to the container object, but to objects contained by it.
    Normally both references are displayed.

Directory Permissions:


    This ACE is inherited by container objects, such as directories.


    Displayed when a permission is not to be inherited. The MSG_CACLS_OBJECT_INHERIT
    and MSG_CACLS_CONTAINER_INHERIT bits are not propagated to an inherited ACE.

A directory's ACL will normally contain at least two ACEs. If CACLS output only contains one ACE, then permissions for the other ACE have not been specified.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.