C: \ Users \ Administrator> icacls /?
Icacls name/save aclfile [/T] [/C] [/L] [/q]
Store the DACL of files and folders that match the name in aclfile for future
/Restore. Note that SACL, owner, or integrity label is not saved.
Icacls directory [/substitute sidold sidnew [...]/restore aclfile
[/C] [/L] [/q]
Apply the stored DACL to files in the directory.
Icacls name/setowner user [/T] [/C] [/L] [/q]
Change the owner of all matched names. This option does not force changes to all identities;
Practical Use of takeown.exeProgramThis can be achieved.
Icacls name/findsid Sid [/T] [/C] [/L] [/q]
Search for all matching names of the ACLs that explicitly mention Sid.
Icacls name/verify [/T] [/C] [/L] [/q]
Search for all files whose ACLs are invalid or whose lengths are inconsistent with the ace count.
Icacls name/Reset [/T] [/C] [/L] [/q]
Replace the ACL with the default ACL for all matching files.
Icacls name [/grant [: R] Sid: perm [...]
[/Deny Sid: perm [...]
[/Remove [: G |: d] Sid [...] [/T] [/C] [/L]
[/Setintegritylevel: Policy [...]
/Grant [: R] Sid: perm grants the specified user access permission. If: R,
These permissions replace all the explicit permissions previously granted.
If you do not use: R, these permissions are added to all the explicit permissions previously granted.
/Deny Sid: perm explicitly denies the specified user access permission.
Adds an explicit deny Ace for the listed permissions,
Delete the same permissions from all explicitly granted permissions.
/Remove [: [G | D] Sid: delete all the SID in the ACL. Use
: G. All permissions granted to this Sid will be deleted. Use
: D. All permissions of this Sid will be deleted and denied.
/Setintegritylevel [(CI) (OI)] level explicitly adds the integrity ace to all
Match files. The level to be specified is one of the following:
L [ow]
M [edium]
H [igh]
The inheritance option of the Integrity Ace can take precedence over the level, but only applies
Directory.
/Inheritance: E | d | r
E-enable inheritance
D-Disable inheritance and copy ace
R-delete all inherited ace
Note:
Sid can be in numeric or friendly name format. If the numeric format is specified,
Add a * at the beginning of Sid *.
/T indicates all matching files/directories under the directory specified by this name
Perform this operation.
/C indicates that this operation will continue with all file errors. The error message is still displayed.
/L indicates that this operation is performed on the symbolic link itself rather than its target.
/Q indicates that icacls should disable the display of successful messages.
Icacls retains the standard order of ACE items:
Explicit rejection
Explicitly Grant
Denial of inheritance
Inherited Grant
Perm is a permission mask, which can be specified in either of the following two formats:
Simple permission sequence:
N-No access permission
F-full access permission
M-Modify permissions
RX-read and execute permissions
R-read-only permission
W-Write-only permission
D-delete permission
List of specific permissions separated by commas in parentheses:
De-delete
RC-read Control
Wdac-write DAC
Wo-write owner
S-synchronization
As-Access System Security
Ma-maximum allowed
Gr-General read
GW-General write
Ge-General execution
Ga-General
Rd-read data/list Directories
WD-write data/add files
Ad-additional data/Add sub-Directories
Rea-read extended attributes
Wea-write extended attributes
X-execute/traverse
DC-delete subitem
Ra-read attributes
Wa-write attributes
The inherited permissions can take precedence over each format, but only apply
Directory:
(OI)-Object Inheritance
(CI)-container inheritance
(IO)-inherit only
(NP)-do not spread inheritance
(I)-permissions inherited from the parent container
Example:
Icacls c: \ windows \ */save aclfile/T
-Set c: \ windows and all files in its subdirectories
Save the ACL to aclfile.
Icacls c: \ windows \/restore aclfile
-The aclfile in c: \ windows and Its subdirectories will be restored.
The ACL of all files.
Icacls file/grant administrator :( D, wdac)
-You are granted the Administrator permission to delete and write files to the DAC.
Icacls file/grant * S-1-1-0 :( D, wdac)
-Users defined by the SID S-1-1-0 are granted the permission to delete files and write DAC files.