iCACLS.exe – Windows CMD Command

Change file and folder permissions – display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS

Unlike earlier command-line tools, iCACLS correctly preserves the canonical ordering of ACE entries:

  1. Explicit Deny
  2. Explicit Grant
  3. Inherited Deny
  4. Inherited Grant

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACLs from the folder where it was created.

An access control list (ACL) is a list of access control entries (ACE). When backing up or restoring an ACL with iCACLS, you must do so for an entire directory (using /save and /restore) even if you are only interested in the ACEs for a few individual files. In practice, most permissions are set at the per-directory level.

Multiple /Grant /Deny /Remove clauses can be included in a single icacls command, on a large directory tree this has the advantage that the tree only has to be traversed once, rather than multiple times if you were to issue several consecutive icacls commands instead.

Modify vs Full control

  • To edit a file you must have the “Modify/Change” ACL (or be the file’s owner)
  • To use the iCACLS command to change the permissions of a file requires “FULL Control” (or be the file’s owner)
  • File “Ownership” will always override all ACL’s – you always have Full Control over files that you create.

So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit ‘F’ (Full control)
similarly (CI)R means Directories will inherit ‘R’ (Read folders only = List permission)

It is worth spending some time working out which permissions can be inherited and which need to be applied directly. On large/complex directory structures, minimizing the number of ACLs can improve fileserver performance.

If inheritance is combined with /T (traverse subfolders) the change will apply to all folders, not just the top level.
for example:
icacls “C:\demo\example” /inheritance:e /T
Will traverse all subfolders below”C:\demo\example” and enable the inheritance for everyone, this will replace any inheritance permissions that have been removed.

If no inheritance is specified, inheritance rules will not be changed but existing inherited permissions will be re-applied to existing objects in the specified location for the specified users/groups.
for example:
icacls “C:\demo\example” /grant administrators:(F) /T
This is similar to applying /reset to the child items of “C:\demo\example” but only resets the administrator’s group.

Built-In Groups

A command which addresses a built-in group by name like ICACLS folder name /GRANT Everyone:F /T
will only work when the system language is English.

To make this language-independent, use an asterisk followed by the well-known SID for the group, see Q243330 for a list.

For example, to grant full control to Everyone on a folder: ICACLS foldername /GRANT *S-1-1-0:F /T

The above does set the correct permissions, but an undesired bug/side effect is that within the top-level folder the Windows Explorer right-click option to create New files will be empty – only New Folder is shown:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *