Using iCACLS to List Folder Permissions and Manage Files

One of the typical tasks for the Windows administrator is to manage NTFS permissions on folders and files on the file system. To manage NTFS permissions, you can use the File Explorer graphical interface (go to the Security tab in the properties of a folder or file), or the built-in iCACLS command-line tool. In this article, we’ll look at the example of using the iCACLS command to view and manage folders and file permissions on Windows.

icacls

How to View File and Folder Permissions Using the iCACLS Command?

The iCACLS command allows displaying or changing Access Control Lists (ACLs) for files and folders on the file system. The predecessor of the iCACLS.EXE utility is the CACLS.EXE command (which was used in Windows XP).

The complete syntax of the icacls tools and some useful usage examples can be displayed using the command:

icacls.exe /?

icacls command

To show current NTFS permissions on a specific folder (for example, C:\PS), open a Command prompt and run the command:

icacls c:\PS

This command will return a list of all users and groups who are assigned permissions to this directory. Let’s try to understand the syntax of the permissions returned by the iCACLS command:

c:\PS CORP\someusername:(OI)(CI)(M)

NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)

BUILTIN\Administrators:(I)(OI)(CI)(F)

BUILTIN\Users:(I)(OI)(CI)(RX)

CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

icacls examples

The resource access level is specified in front of each group or user. The access permissions are indicated using the abbreviations. Consider the permissions for the user CORP\someusername. The following permissions are assigned to this user:

  • (OI) — object inherit;
  • (CI) — container inherit;
  • (M) —  modify access.

This means that this user has the right to write and modify file system objects in this directory. These NTFS permissions are inherited to all child objects in this directory.

Below is a complete list of permissions that can be set using the icacls utility:

iCACLS inheritance settings:

  • (OI)  —  object inherit;
  • (CI)  —  container inherit;
  • (IO)  —  inherit only;
  • (NP)  —  don’t propagate inherit;
  • (I)  — permission inherited from the parent container.

List of basic access permissions:

  • D  —  delete access;
  • F  —  full access;
  • N  —  no access;
  • M  —  modify access;
  • RX  —  read and execute access;
  • R  —  read-only access;
  • W  —  write-only access.

Detailed permissions:

  • DE  —  delete;
  • RC  —  read control;
  • WDAC  —  write DAC;
  • WO   — write owner;
  • S  —  synchronize;
  • AS  —  access system security;
  • MA  —  the maximum allowed permissions;
  • GR  —  generic read;
  • GW  —  generic write;
  • GE  —  generic execute;
  • GA  —  generic all;
  • RD  —  read data/list directory;
  • WD  —  write data/add file;
  • AD  — append data/add subdirectory;
  • REA  —  read extended attributes;
  • WEA  —  write extended attributes;
  • X  —  execute/traverse;
  • DC  —  delete child;
  • RA  —  read attributes;
  • WA  —  write attributes.
READ ALSO  Fixing The Program Can't Start Because VCRUNTIME140.dll is Missing

If you need to find all the objects in the specified directory and its subdirectories in which the SID of a specific user and group is specified, use the command:

icacls C:\PS /findsid [User/Group_SID_here] /t /c /l /q

Use iCACLS to Set Folder’s or File’s Permissions

With the icacls command, you can change the access lists for the folder. For example, you want to grant the user John the permissions to edit the contents of the folder C:\PS. Execute the command:

icacls C:\PS /grant  John:M

To grant Full Control permission for the NYUsers domain group and apply all settings to the subfolders:

icacls "C:\PS" /grant domainNYUsers:F /Q /C /T

The following command can be used to grant a user read + execute + delete access permissions to the folder:

icacls E:\PS /grant John:(OI)(CI)(RX,D)

In order to grant read + execute + write access, use the command:

icacls E:\PS /grant John:(OI)(CI)(RX,W)

You can use the built-in group names in the icacls command. For example, Administrators, Everyone, Users, etc. For example:

icacls C:\PS /grant Everyone:F /T

You can remove all the permissions of John by using the command:

icacls C:\PS /remove John

Also, you can prevent a user or group of users from accessing a file or folder using the explicitly deny in a way like this:

icacls c:\ps /deny "NYUsers:(CI)(M)"

Keep in mind that prohibiting rules have a higher priority than allowing ones.

You can enable or disable permissions on folder/file objects using the /inheritance option of the icacls command. To disable the inheritance permissions on the file system object and copy the current access control list (explicit permissions), run the command list:

icacls c:\PS /inheritance:d

To disable inheritance and remove all inherited permissions, run:

icacls c:\PS /inheritance:r

To enable the inherited permissions on a file or folder object:

icacls c:\PS /inheritance:e

If you need to propagate new permission to all files and subfolders of target folder without using inheritance, use the command:

icacls "C:\PS\" /grant:r Everyone:(NP)(RX) /T

In this case, no specific permissions on subfolders will be overwritten.

Also, you can environment variable %username% to grant permissions for the currently logged on user:

ICACLS c:\PS /grant %username%:F

In some cases, you may receive the “Access is denied” error when trying to change permissions on a file or folder using the icacls tool. In this case, first, make sure that you run a cmd window with elevated rights (run as administrator). Since the icacls is not a UAC-aware tool, you won’t see the elevation request.

READ ALSO  How to Login with a Local Windows Account Instead of Domain Account?

If the error persists, list the current file permissions and make sure your account has the “Change permissions” rights on the file.

Quite a common problem: after copying directories between two drives you can lose access permission to folders on a target drive. In this case, you can reset NTFS permissions with icacls. The following command will reset all explicit and inherited permissions for all folders and files on drive E:

Icacls.exe E:\*   /reset    /T

In the Windows versions without long path support, you cannot change the permissions for an object in the tree if the full file path to such an object is longer than 256 characters (with the Destination path too long error). In these cases instead of using the following icacls command:

ICACLS C:\PS\LongFilePath /Q /C /T /reset

You should use:

ICACLS "\\?\C:\PS\LongFilePath " /Q /C /T /reset

Changing Ownership Using ICACLS on Windows

Using the icacls command, you can change the owner of a directory or folder, for example:

icacls c:\ps\secret.docx /setowner John /T /C /L /Q
  • /Q — do not display a success message command;
  • /L — the command is executed directly above the symbolic link, not the specific object;
  • /C — the execution of the command will continue despite the file errors. Error messages will still be displayed;
  • /T — the command is performed for all files and directories that are located in the specified directory and its subdirectories.

You can change the owner of all the files in the directory:

icacls c:\ps\* /setowner John /T /C /L /Q

Also, with icacls you can reset the current permissions on the file system objects:

ICACLS C:\ps /T /Q /C /RESET

icacls list permissions

After executing this command, all current permissions on the file object in the specified folder will be reset. They will be replaced with permissions inherited from the parent object.

Note that the icacls command with the /setowner option doesn’t allow you to forcibly change the file system object ownership. If you are not the current object owner, use the takeown.exe command to replace the file or folder ownership.

READ ALSO  Working With If Else Statement in PowerShell

To find out all files with non-canonical ACL or lengths that do not match the number of ACEs, use the /verify parameter.

icacls "c:\test" /verify /T

Save and Restore NTFS ACLs Using ICACLS

Using the icacls command, you can save the current object’s ACL into a text file. Then you can apply the saved permission list to the same or other objects (a kind of way to backup ACLs).

To export the current ACL on the C:\PS folder and save them to the PS_folder_ACLs.txt file, run the command:

icacls C:\PS\* /save c:\temp\PS_folder_ACLs.txt /t

This command saves ACLs not only to the directory itself but also to all subfolders and files. You can open the resulting text file using notepad or any text editor.

icacls show permissions

To apply saved access ACLs (restore permissions), run the command:

icacls C:\PS /restore c:\temp\PS_folder_ACLs.txt

Thus, the process of ACLs transferring from one folder to another (or between hosts) becomes much easier.

Using ICACL in PowerShell Script to Change Permissions

If you need to go down the folder structure and change NTFS permissions only on certain types of files, you can use the ICACL utility. For example, you need to find all files with the “pass” phrase in the name and the *.docx extension in your shared network folder. Also, you want to grant read access to them for the ITSec domain security group. You can use the following PowerShell script (don’t forget to change the folder path):

$files = get-childitem "d:\docs" -recurse | Where-Object { $_.Extension -eq ".txt" }

foreach($file in $files){

if($file -like "*pass*"){

$path = $file.FullName

icacls $file.FullName /grant corpITSec:(R)

write-host $file.FullName

}

}

You can use icacls in PowerShell scripts to change NTFS permissions on directories on remote computers.

$folder = “c:\Tools”

$Grant = “grant:rw”

$users = “corp\hepldesk”

$permission = “:(OI)(CI)(F) /T”

srv_list = @(″server1″,″server2″,″server3″)

Invoke-Command -ScriptBlock {Invoke-Expression -Command (‘icacls $initFolder $Grant “${$users}${$permission}”’)} -ComputerName $servers

This script will grant RW permissions to the C:\tools directory for the corp\hepldesk domain security group on three remote servers.

Cyril Kardashevsky

5 comments

  1. How could I apply the rights to a specific user with the same name as the userfolder?
    Example:
    C:\users\james -> should become Full Access for the domain user “James”
    C:\users\john -> should become Full Access for the domain user “John”

  2. I need to find out why does the output of the command “icacls ~\Desktop” returns as “The sysyem cannot specify the path “

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.