iCACLS: List and Manage Folder and File Permissions on Windows – TheITBros (2024)

Table of Contents
How to List File and Folder Permissions Using the iCACLS Set and Remove File Permissions with iCACLS Changing Ownership on File or Folder Using ICACLS How to Backup and Restore NTFS ACLs Using ICACLS 1. Listing File and Folder Permissions with iCACLS: 2. Understanding iCACLS Permissions Syntax: 3. Setting and Removing File Permissions with iCACLS: 4. Changing Ownership with iCACLS: 5. Backup and Restore NTFS ACLs Using iCACLS: 6. Troubleshooting and Additional Considerations: 7. Advanced iCACLS Usage: 8. Note on Using PowerShell:

You can view and manage NTFS permissions on files and folders on the file system from the command line using the built-in iCACLS.exe tool. In this article, we’ll look at the example of using the iCACLS command to list, change, remove, backup and restore NTFS permissions on file system objects on Windows.

To manage the NTFS permissions on an individual file or folder, you can use the graphical Security tab in the file properties in File Explorer. When it comes to managing permissions on tens or hundreds of file system objects, administrators typically prefer to use command-line tools such as iCACLS.

iCACLS: List and Manage Folder and File Permissions on Windows – TheITBros (1)

Table of Contents

How to List File and Folder Permissions Using the iCACLS

To list the current NTDS permissions for a specific file and folder, simply open a command prompt and type the command:

icacls C:\DOCs\IT_Dept

This command returns a list of all users and groups, and the individual permissions assigned to them. This is a Discretionary Access-Control List (DACL), which contains ACL (Access Control List).

Each line is a separate Access Control Entry (ACE) entry in the format:

Security principal : permission levels

Let’s try to understand the syntax of the permissions list returned by the iCACLS command:

CONTOSO\allowUSB:(OI)(CI)(RX)CREATOR OWNER:(OI)(CI)(IO)(F)NT AUTHORITY\SYSTEM:(OI)(CI)(F)CONTOSO\fs01-IT_dept_RW:(OI)(CI)(M)CONTOSO\fs01-IT_dept_R:(OI)(CI)(RX)BUILTIN\Administrators:(OI)(CI)(F)BUILTIN\Users:(OI)(CI)(RX)

iCACLS: List and Manage Folder and File Permissions on Windows – TheITBros (2)

Take a look at the following ACE entry: CONTOSO\fs01-IT_dept_R:(OI)(CI)(RX)

CONTOSO\fs01-IT_dept_R – This is the group (or user) to which permissions are assigned.

A list of assigned privileges for this security principal follows the colon (:). In this example:

  • (OI) — object inherit;
  • (CI) — container inherit;
  • (RX) — Read and Execute access.

This means that the members of this group have the right to write and modify filesystem objects in this directory. All child (nested) objects in this directory inherit these NTFS permissions.

You can see what the same ACE entry looks like in File Explorer GUI:

  1. Open the file or folder properties;
  2. Navigate to the Permissions tab;
  3. Click Advanced;
  4. The Permissions entries contains the list of ACE records. iCACLS: List and Manage Folder and File Permissions on Windows – TheITBros (3)

Below is a complete list of permissions that can be set using the icacls:

iCACLS inheritance settings:

  • (OI)  —  objects inherit the specified ACE;
  • (CI)  —   subdirectories in the current directory inherit ACE;
  • (IO)  —  inherit only to the current object;
  • (NP)  —  don’t propagate inherit;
  • (I)  — permission inherited from the parent container.

List of basic access permissions:

  • D  —  delete access;
  • F  —  full access;
  • N  —  no access;
  • M  —  modify (includes ‘delete’);
  • RX  —  read and execute access;
  • R  —  read-only access;
  • W  —  write-only access.

Detailed permissions:

  • DE  —  delete;
  • RC  —  read control;
  • WDAC  —  write DAC;
  • WO —  write owner;
  • S  —  synchronize;
  • AS  —  access system security;
  • MA  —  the maximum allowed permissions;
  • GR  —  generic read;
  • GW  —  generic write;
  • GE  —  generic execute;
  • GA  —  generic all;
  • RD  —  read data/list directory;
  • WD  —  write data/add file;
  • AD  — append data/add subdirectory;
  • REA  —  read extended attributes;
  • WEA  —  write extended attributes;
  • X  —  execute/traverse;
  • DC  —  delete child;
  • RA  —  read attributes;
  • WA  —  write attributes.

You can view the syntax of the icacls command and some useful usage examples with the command:

icacls.exe /?

iCACLS: List and Manage Folder and File Permissions on Windows – TheITBros (4)

Set and Remove File Permissions with iCACLS

You can change the access lists for the file or folder using the icacls.

For example, you want to grant the user John the permissions to modify (M) the contents of the folder C:\PS:

icacls C:\PS /grantJohn:M

To grant Full Control (F) permission for the NYUsers domain group and apply all settings to the subfolders (/T, traverse subfolders — used to perform operation against all nested files and folders):

icacls "C:\PS" /grant domainname\NYUsers:F /Q /C /T

Grant a user read + execute + delete access permissions to the folder:

icacls E:\PS /grant John:(OI)(CI)(RX,D)

In order to grant read + execute (RX) and write (W) access and inherit down to subfolders and files (OI)(CI):

icacls E:\PS /grant John:(OI)(CI)(RX,W)

You can use the %username% environment variable to grant permissions to the currently logged on user:

ICACLS c:\PS /grant %username%:F

You can use the built-in group names in the icacls command. For example, Administrators, Everyone, Users, etc:

icacls C:\PS /grant Everyone:F /T

You can use the :r switch with /grant parameter to replace existing and inherited ACLs, rather than adding new ACLs to existing or inherited ACLs.

icacls C:\PS /grant:r Administrators:F

You can remove all the NTFS permissions assigned to John by using the /remove parameter:

icacls C:\PS /remove John

You can remove only the Granted or Denied permissions for a specific user or SID:

  • /remove:g — remove all granted rights;
  • /remove:d — remove all denied right.

iCACLS allows to assign explicitly deny access rights to certain security principals (rarely used). For example we’ll deny this group Modify (M) permissions (it includes: Create+Delete+Read+Write permissions) objects in the destination folder.

icacls c:\ps /deny "NYUsers:(CI)(M)"

Remember that prohibitive rules have a higher priority than allowing ones.

You can enable or disable permission inheritance on folder/file objects using the /inheritance option.

Three values are available for the /inheritance parameter:

  • e — enable inheritance;
  • d — disable inheritance and copy current ACE;
  • r — remove all inherited ACEs.

To disable the inherited permissions and copy the current ACL (explicit permissions):

icacls c:\PS /inheritance:d

Disable inheritance and remove all inherited permissions, run:

icacls c:\PS /inheritance:r

To enable the inherited permissions on a file or folder object:

icacls c:\PS /inheritance:e

If you need to propagate new permissions to all files and subfolders in the target folder without using inheritance:

icacls "C:\PS\" /grant:r Everyone:(NP)(RX) /T

In this case, no specific permissions on subfolders will be overwritten.

The icacls allows you to manage not only NTFS permissions for file system objects on the local computer, but also permissions for remote shared folders.

To grant full access to the docs folder on the remote computer fssrv01, run the following command:

icacls \\fssrv01\docs /grant bjackson:F

You can also access local files on a remote computer through the administrative shares (C$, D$, etc.). This means that this command will work as well:

icacls \\fssrv01\d$\docs /grant bjackson:F

You may receive the “Access is denied” error when trying to change permissions on a file or folder using the icacls:

  • Check that you are running at an elevated command prompt (as an administrator);
  • Make sure you are allowed to change the permissions of this object (your account must have “Change permissions” assigned to the object).

Hint. The iCACLS doesn’t allow you to list effective NTFS permissions on a file system object. Use the Security tab in the File Explorer GUI to view the resulting permissions.

Quite a common problem: after copying directories between two drives, you can lose access permission to folders on a target drive. In this case, you can reset NTFS permissions.

The following command will reset all explicit and inherited permissions for all folders and files on drive E:

Icacls.exe E:\* /reset /T

If your version of Windows doesn’t support long paths, you won’t be able to change the permissions for an object if the full path to such an object is longer than 256 characters (with the Destination path too long error). In these cases, instead of using the following icacls command:

ICACLS C:\PS\LongFilePath /Q /C /T /reset

You should use:

ICACLS "\\?\C:\PS\LongFilePath " /Q /C /T /reset

ICACLS allows you to set a high integrity level for a file or folder. Only administrators can access and modify files and folders with a high level of integrity.

icacls C:\PS\myfile.txt /setintegritylevel H

The following entry will now appear in the file’s ACL:

Mandatory Label\High Mandatory Level:(NW)

iCACLS: List and Manage Folder and File Permissions on Windows – TheITBros (5)

After that, even if the user has Full Control access permissions to the file, he will not be able to change it and will receive an Access is denied error.

Note. In addition to the icacls tool, you can manage the NTFS permissions of file system objects using PowerShell.

Changing Ownership on File or Folder Using ICACLS

Using the icacls command, you can change the owner of a directory or folder. For example:

icacls c:\ps\secret.docx /setowner John /C /L /Q
  • /Q — suppress success messages;
  • /L — run the command against the symbolic link, instead of its target;
  • /C — continue despite errors. Error messages will still be displayed;

You can change the owner of all the files in the directory (/T – recursively):

icacls c:\ps\* /setowner John /T /C /L /Q

You can also use icacls to reset the current permissions on file system objects:

icacls C:\ps /T /Q /C /RESET

iCACLS: List and Manage Folder and File Permissions on Windows – TheITBros (6)

The permissions of the target folder will be replaced with the permissions that are inherited from the parent object. This command is equivalent of the “Replace all child permission entries with inheritable permission from this object” in File Explorer.

You cannot change the owner of the object.

Note that the icacls command with the /setowner option doesn’t allow you to forcibly change the ownership of filesystem objects. If you are not the current object owner, use the takeown command to take file or folder ownership.

To find out all files with non-canonical ACLs or lengths that do not match the number of ACEs, use the /verify parameter.

icacls "c:\test" /verify /T

How to Backup and Restore NTFS ACLs Using ICACLS

The icacls command allows you to save the ACL of the current object to a plain text file. You can then apply the saved permission list to the same or other objects (a kind of way to backup ACLs).

Export the current ACL of the folder and save it in the *.TXT file:

icacls C:\PS\* /save c:\temp\PS_folder_ACLs.txt /T

This command saves ACLs not only for the directory itself but also for all subfolders and files. You can open the resulting text file using notepad or any text editor.

iCACLS: List and Manage Folder and File Permissions on Windows – TheITBros (7)

To apply saved ACLs to the folder (restore permissions), run the command:

icacls C:\PS /restore c:\temp\PS_folder_ACLs.txt /T /C /Q

This makes it much easier to copy ACLs from one folder to another (or between hosts).

Windows

I'm an IT professional with extensive expertise in Windows file system management, particularly in the realm of NTFS permissions. I've demonstrated my knowledge through practical experience in administering permissions on files and folders, using both graphical and command-line tools. My proficiency is evident in my understanding of the iCACLS.exe tool and its various functionalities, as well as my ability to explain the intricate details of NTFS permissions and their management.

In the provided article, the focus is on utilizing the iCACLS command to manage NTFS permissions on Windows file system objects. The key concepts covered include:

1. Listing File and Folder Permissions with iCACLS:

  • The iCACLS command is used to display NTFS permissions for a specific file or folder.
  • The output includes a Discretionary Access-Control List (DACL) with Access Control Entries (ACE) entries.
  • Each ACE entry has the format: Security principal : permission levels.
  • Permission levels include object inherit (OI), container inherit (CI), and specific access rights (e.g., RX for Read and Execute).

2. Understanding iCACLS Permissions Syntax:

  • Detailed explanation of permissions syntax, such as (OI) for object inherit, (CI) for container inherit, and various access permissions (D, F, N, M, RX, R, W).

3. Setting and Removing File Permissions with iCACLS:

  • Examples of granting and revoking permissions for users and groups.
  • Usage of environment variables like %username% for dynamic permission assignment.
  • Special considerations for built-in group names and the use of the /grant:r switch.

4. Changing Ownership with iCACLS:

  • Demonstrates how to change the owner of a directory or file using the iCACLS command.
  • Considerations for recursive ownership changes (/T) and handling symbolic links (/L).

5. Backup and Restore NTFS ACLs Using iCACLS:

  • Explanation of how to save and apply ACLs using the iCACLS /save and /restore commands.
  • Practical use cases, such as backing up ACLs for a folder and restoring them later.

6. Troubleshooting and Additional Considerations:

  • Addressing potential issues, such as access denied errors or limitations on long paths.
  • Resetting NTFS permissions for directories that may lose access permissions after copying.

7. Advanced iCACLS Usage:

  • Setting a high integrity level for files or folders using the /setintegritylevel option.

8. Note on Using PowerShell:

  • Mention of PowerShell as an alternative method for managing NTFS permissions.

By comprehensively covering these topics, the article provides a thorough guide for administrators managing NTFS permissions on Windows file systems using the iCACLS command-line tool.

iCACLS: List and Manage Folder and File Permissions on Windows – TheITBros (2024)
Top Articles
Child Passenger Safety
The Best Survival Knife For Your Money
That Crazy Lady I'm Apparently Related To - orphan_account
the butterfly effect - Chapter 52 - samseaa
Latest Posts
What are ‘ghost guns’ and are they legal in Pennsylvania?
¿Qué hacer si aduana retiene un paquete en México?
Article information

Author: Manual Maggio

Last Updated:

Views: 5921

Rating: 4.9 / 5 (49 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Manual Maggio

Birthday: 1998-01-20

Address: 359 Kelvin Stream, Lake Eldonview, MT 33517-1242

Phone: +577037762465

Job: Product Hospitality Supervisor

Hobby: Gardening, Web surfing, Video gaming, Amateur radio, Flag Football, Reading, Table tennis

Introduction: My name is Manual Maggio, I am a thankful, tender, adventurous, delightful, fantastic, proud, graceful person who loves writing and wants to share my knowledge and understanding with you.