Change file and folder permissions - display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS
Syntax ICACLS Name [/grant[:r] User:Permission[...]] [/deny User:Permission[...]] [/remove[:g|:d]] User[...]] [/inheritance:e|d|r ] [/t] [/c] [/l] [/q] [/setintegritylevel Level[...]] Store ACLs for one or more directories matching name into aclfile for later use with /restore ICACLS name /save aclfile [/T] [/C] [/L] [/Q] Restore ACLs to all files in directory : ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] [/L] [/Q] Change Owner: ICACLS name /setowner user [/T] [/C] [/L] [/Q] Find items with an ACL that mentions a specific SID: ICACLS name /findsid Sid [/T] [/C] [/L] [/Q] Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count: ICACLS name /verify [/T] [/C] [/L] [/Q] Replace ACL with default inherited acls for all matching files: ICACLS name /reset [/T] [/C] [/L] [/Q] Key name The File(s) or folder(s) the permissions will apply to. /T Traverse all subfolders to match files/directories. /C Continue on file errors (access denied) Error messages are still displayed. /L Perform the operation on a symbolic link itself, not its target. /Q Quiet - supress success messages. /grant :r user:permission Grant access rights, with :r, the permissions will replace any previouly granted explicit permissions. Otherwise the permissions are added. /deny user:permission Explicitly deny the specified user access rights. This will also remove any explicit grant of the same permissions to the same user. /remove[:[g|d]] User Remove all occurrences of User from the acl. :g remove all granted rights to that User/Sid. :d remove all denied rights to that User/Sid. /setintegritylevel [(CI)(OI)]Level Add an integrity ACE to all matching files. level is one of L,M,H (Low Medium or High) A Directory Inheritance option for the integrity ACE can precede the level and is applied only to directories: /inheritance:e|d|r e - enable inheritance d - disable inheritance and copy the ACEs r - remove all inherited ACEs user A user account, Group or a SID /restore Apply the acls stored in ACLfile to the files in directory permission is a permission mask and can be specified in one of two forms: a sequence of simple rights: D - Delete access F - Full access N - No access M - Modify access RX - Read and eXecute access R - Read-only access W - Write-only access a comma-separated list in parenthesis of specific rights: DE - Delete RC - read control WDAC - write DAC WO - write owner S - synchronize AS - access system security MA - maximum allowed GR - generic read GW - generic write GE - generic execute GA - generic all RD - read data/list directory WD - write data/add file AD - append data/add subdirectory REA - read extended attributes WEA - write extended attributes X - execute/traverse DC - delete child RA - read attributes WA - write attributes inheritance rights can precede either form and are applied only to directories: (OI) - object inherit (CI) - container inherit (IO) - inherit only (NP) - don’t propagate inherit (I) - Permission inherited from parent container
Unlike earlier command-line tools, iCACLS correctly preserves the canonical ordering of ACE entries:
Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.
An access control list (ACL) is a list of access control entries (ACE). When backing up or restoring an ACL with iCACLS, you must do so for an entire directory (using /save and /restore) even if you are only interested in the ACEs for a few individual files. In practice most permissions are set at the per-directory level.
Inherited folder permissions are displayed as:
OI - Object inherit - This folder and files. (no inheritance to subfolders) CI - Container inherit - This folder and subfolders. IO - Inherit only - The ACE does not apply to the current file/directory These can also be combined as folllows: (OI)(CI) This folder, subfolders, and files. (OI)(CI)(IO) Subfolders and files only. (CI)(IO) Subfolders only. (OI) (IO) Files only.
So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Full control)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)
When icacls is applied to the current folder only there is no inheritance and so no output.
To backup the ACLs of every file in a directory:
icacls * /save Myacl_backup.txt
Restore ACLS using a previously saved acl file:
icacls /restore Myacl_backup.txt
Change the Integrity Level (IL) of a file to High:
icacls MyReport.doc /setintegritylevel H
Remove all inheritance on the 'Demo' folder and grant access to the domain user 'Volta', in this command the /t will traverse existing subfolders and files, and the (CI) will ensure that new folders/files added in future will inherit these permissions:
icacls C:\Demo /inheritance:r /grant SS64dom\Volta:(CI)F /t
Grant the group FileAdmins 'Delete' and 'Write DAC' permissions to Sales_Folder:
icacls Sales_Folder /grant FileAdmins:(D,WDAC)
Propagate a new permission to all files and subfolders, without using inheritance:
(so if any of the subfolders contain specific permissions, those won't be overwritten)
icacls * /grant accountName:(NP)(RX) /T
“It's easier to ask forgiveness than it is to get permission” ~ Rear Admiral Grace Hopper
ATTRIB - Display or change file attributes
CACLS - Change file permissions
DIR /Q - Display the owner for a list of files (try it for Program files)
FSUTIL - File System Options
NTRIGHTS - Edit user account rights
PERMS - Show permissions for a user
TAKEOWN - Take ownership of file(s)
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders
Syntax-Permissions - Explanation of permissions.
Q243330 - Well-known security identifiers (sids) in Windows operating systems
Q919240 - Icacls is available for Windows Server 2003 SP2
Q834721 - Permissions on Folder are incorrectly ordered
Q943043 - Icacls.exe does not support inheritance
Q245031 - Change Registry Permissions (RegIni)
Q220167 - Understanding Container Access Inheritance Flags
Q947870 - Error with /setowner Windows Server 2003
AccessEnum - SysInternals GUI to browse a tree view of user permissions.
SetACL - Utility to manage permissions, auditing and ownership (free)
PowerShell equivalent: Get-Acl / Set-Acl - Set permissions
Equivalent bash command (Linux):chmod / chown - Change file permissions/owner and group