iCACLS.exe (2003 sp2, Vista+)

Change file and folder permissions - display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS

Syntax
      ICACLS Name [/grant[:r] User:Permission[...]]
         [/deny User:Permission[...]]
            [/remove[:g|:d]] User[...]]
               [/inheritance:e|d|r ]
                  [/t] [/c] [/l] [/q]
                     [/setintegritylevel Level[...]]

   Store ACLs for one or more directories matching name into aclfile for later use with /restore
      ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
    
   Restore ACLs to all files in directory :
      ICACLS directory [/substitute SidOld SidNew [...]]
          /restore aclfile [/C] [/L] [/Q]

   Change Owner:
      ICACLS name /setowner user [/T] [/C] [/L] [/Q]

   Find items with an ACL that mentions a specific SID:
      ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]

   Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count:
      ICACLS name /verify [/T] [/C] [/L] [/Q]
 
   Replace ACL with default inherited acls for all matching files:
      ICACLS name /reset [/T] [/C] [/L] [/Q]

Key
   name  The File(s) or folder(s) the permissions will apply to.

   /T  Traverse all subfolders to match files/directories. 
   
   /C  Continue on file errors (access denied)  Error messages are still displayed.
  
   /L  Perform the operation on a symbolic link itself, not its target.

   /Q  Quiet - supress success messages.
	
   /grant :r user:permission
       Grant access rights, with :r, the permissions
       will replace any previouly granted explicit permissions.
       Otherwise the permissions are added.

   /deny user:permission
       Explicitly deny the specified user access rights.
       This will also remove any explicit grant of the 
       same permissions to the same user.

   /remove[:[g|d]] User 
       Remove all occurrences of User from the acl. 
	    :g remove all granted rights to that User/Sid.
	    :d remove all denied rights to that User/Sid.

    /setintegritylevel [(CI)(OI)]Level 
       Add an integrity ACE to all matching files. 
       level is one of L,M,H (Low Medium or High)
	   
       A Directory Inheritance option for the integrity ACE can precede the level
       and is applied only to directories:

    /inheritance:e|d|r
             e - enable inheritance
             d - disable inheritance and copy the ACEs 
             r - remove all inherited ACEs

   user   A user account, Group or a SID

   /restore  Apply the acls stored in ACLfile to the files in directory

   permission is a permission mask and can be specified in one of two forms:
        a sequence of simple rights:
                D - Delete access
                F - Full access
                N - No access
                M - Modify access
                RX - Read and eXecute access
                R - Read-only access
                W - Write-only access
        a comma-separated list in parenthesis of specific rights:
                DE - Delete
                RC - read control
                WDAC - write DAC
                WO - write owner
                S - synchronize
                AS - access system security
                MA - maximum allowed
                GR - generic read
                GW - generic write
                GE - generic execute
                GA - generic all
                RD - read data/list directory
                WD - write data/add file
                AD - append data/add subdirectory
                REA - read extended attributes
                WEA - write extended attributes
                X - execute/traverse
                DC - delete child
                RA - read attributes
                WA - write attributes
        inheritance rights can precede either form and are applied
        only to directories:
                (OI) - object inherit
                (CI) - container inherit
                (IO) - inherit only
                (NP) - don’t propagate inherit
                (I)  - Permission inherited from parent container

Unlike earlier command-line tools, iCACLS correctly preserves the canonical ordering of ACE entries:

    1. Explicit Deny
    2. Explicit Grant
    3. Inherited Deny
    4. Inherited Grant

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.

An access control list (ACL) is a list of access control entries (ACE). When backing up or restoring an ACL with iCACLS, you must do so for an entire directory (using /save and /restore) even if you are only interested in the ACEs for a few individual files. In practice most permissions are set at the per-directory level.

Using iCACLS

Inherited folder permissions are displayed as:

 OI - Object inherit    - This folder and files. (no inheritance to subfolders)
 CI - Container inherit - This folder and subfolders.
 IO - Inherit only      - The ACE does not apply to the current file/directory

These can also be combined as folllows:
 (OI)(CI)	    This folder, subfolders, and files.
 (OI)(CI)(IO)	Subfolders and files only.
     (CI)(IO)  Subfolders only.
 (OI)    (IO)	Files only. 

So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Full control)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)

When icacls is applied to the current folder only there is no inheritance and so no output.

Examples:

To backup the ACLs of every file in a directory:

icacls * /save Myacl_backup.txt

Restore ACLS using a previously saved acl file:

icacls /restore Myacl_backup.txt

Change the Integrity Level (IL) of a file to High:

icacls MyReport.doc /setintegritylevel H

Remove all inheritance on the 'Demo' folder and grant access to the domain user 'Volta', in this command the /t will traverse existing subfolders and files, and the (CI) will ensure that new folders/files added in future will inherit these permissions:

icacls C:\Demo /inheritance:r /grant SS64dom\Volta:(CI)F /t

Grant the group FileAdmins 'Delete' and 'Write DAC' permissions to Sales_Folder:

icacls Sales_Folder /grant FileAdmins:(D,WDAC)

Propagate a new permission to all files and subfolders, without using inheritance:
(so if any of the subfolders contain specific permissions, those won't be overwritten)

icacls * /grant accountName:(NP)(RX) /T

“It's easier to ask forgiveness than it is to get permission” ~ Rear Admiral Grace Hopper

Related:

ATTRIB - Display or change file attributes
CACLS - Change file permissions
DIR /Q - Display the owner for a list of files (try it for Program files)
FSUTIL - File System Options
NTRIGHTS - Edit user account rights
PERMS - Show permissions for a user
TAKEOWN - Take ownership of file(s)
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders
Syntax-Permissions - Explanation of permissions.
Q243330 - Well-known security identifiers (sids) in Windows operating systems
Q919240 - Icacls is available for Windows Server 2003 SP2
Q834721 - Permissions on Folder are incorrectly ordered
Q943043 - Icacls.exe does not support inheritance
Q245031 - Change Registry Permissions (RegIni)
Q220167 - Understanding Container Access Inheritance Flags
Q947870 - Error with /setowner Windows Server 2003
AccessEnum - SysInternals GUI to browse a tree view of user permissions.
SetACL - Utility to manage permissions, auditing and ownership (free)
PowerShell equivalent: Get-Acl / Set-Acl - Set permissions
Equivalent bash command (Linux):chmod / chown - Change file permissions/owner and group


© Copyright SS64.com 1999-2016
Some rights reserved