Command line tool to manipulate permissions for a folder or file icacls

In Windows Vista and Windows Server 2003 Service Pack 2, Microsoft provides a new command-line tool icacls that you can use to view, set, save, and recover permissions for a folder or file. It is more powerful in function than it used to be cacls.

icacls name/save AclFile [/T] [/C] [/l] [/q]

The ACLs for all matching names are stored in AclFile for future use in/restore.

icacls directory [/substitute sidold sidnew [...]]/restore aclfile

[/C] [/L] [/Q]

Applies the stored ACLs to files in the directory.

icacls name/setowner User [/T] [/C] [/l] [/q]

Change the owner of all matching names.

icacls name/findsid Sid [/T] [/C] [/l] [/q]

Finds all matching names that contain ACLs that explicitly refer to SIDS.

Icacls name/verify [/T] [/C] [/l] [/q]

Finds all files with an ACL that is not standard or is inconsistent in length with the ACE count.

Icacls Name/reset [/T] [/C] [/l] [/q]

Use the default inherited ACL replacement ACL for all matching files

icacls name [/grant[:r] sid:perm[...]

[/deny sid:perm [...]]

[/remove[:g|:d]] [sid[]] [/T] [/C] [/L]

[/setintegritylevel level:policy[...]]

/GRANT[:R] Sid:perm grants the specified user access rights. Using: R,

This permission replaces all previously granted explicit permissions.

Do not use: R, this permission is added to all previously granted explicit permissions.

/deny Sid:perm explicitly denies the specified user access rights.

An explicit deny ACE has been added for the specified permissions.

Deletes the same permissions in all explicitly granted permissions.

/REMOVE[:[G|D]] SID deletes all occurrences of the SID in the ACL. Using

: G, remove all permissions granted to the SID. Use

:d, deletes all permissions that deny the SID.

The/setintegritylevel [(CI) (OI)] level explicitly adds an integrity ACE to all matching files. The level to be specified is one of the following:

L[ow]

M[edium]

H[igh]

Inheritance options for Integrity Aces take precedence over levels, but apply only to directories.

Attention:

Sids may be a number format or a friendly name format. If given the number format,

Then add a * to the beginning of the SID.

/T indicates that on all matching files/directories under the directory specified by this name

Perform this operation.

/C indicates that the operation will continue on all file errors. An error message will still be displayed.

/L indicates that this operation is performed on the symbolic link itself, not on its target.

/q indicates that ICACLS should suppress successful messages.

Icacls preserves the canonical order of ACE entries:

Explicit Deny

Explicitly granted

Rejected by inheritance

Inherited Grant

Perm is a permission mask that can be specified in one of two formats:

Simple permission sequence:

F-Full access rights

M-Modify Permissions

RX-Read and Execute permissions

R-read-only permission

W-write-only permission

A comma-delimited list of specific permissions in parentheses:

D-Delete

RC-Read Control

WDAC-Write DAC

WO-Write Owner

S-Sync

As-access system security

MA-Maximum allowable value

GR-General Read

GW-General Write

GE-General execution

GA-All General

RD-reading data/listing directories

WD-Write Data/Add files

AD-Append Data/Add Sub directory

REA-Read Extended Properties

WEA-Write Extended Properties

X-Perform/traverse

DC-Delete Subkeys

RA-Read Properties

WA-Write properties

Inherited permissions can take precedence over each format, but apply only to

Directory:

(OI)-Object inheritance

(CI)-Container inheritance

(IO)-Inherit only

(NP)-Do not propagate inheritance

Example:

icacls c:windows*/save aclfile/t

-C:windows all files under the

ACLs are saved to AclFile.

Icacls C:windows/restore AclFile

-within the aclfile that exists in the restore c:windows and its subdirectories

ACLs for all Files

Icacls file/grant Administrator: (D,WDAC)

-the user will be given a tube to delete and write the DAC to the file

Agent Privileges

Icacls file/grant *s-1-1-0: (D,WDAC)

-the user defined by Sid s-1-1-0 will be granted a deletion of the file

Permissions to the DAC except and write