Display or modify access control lists (ACLs) for a file
CACLS filename [/T] [/M] [l] [/S[:SDDL]] [/E] [/C] [/g user:perm]
[/R user [...]] [/P User:perm [...]] [/d User [...]]
FileName Displays the ACL.
/T Changes the ACL of the specified file in the current directory and all its subdirectories.
/L handle symbolic link itself against target
/M Changes the ACL of the volume mounted to the directory
/S The SDDL string that displays the DACL.
/S:SDDL replaces the ACL with the ACL specified in the SDDL string.
(/E,/g,/r,/p or/d are not valid).
/e Edit the ACL without replacing it.
/C Continue when an Access denied error occurs.
/g User:perm gives the specified user access rights.
Perm can be: R read
W Write
C Change (write)
F Full Control
/r user revokes the access rights of the specified user (only valid when used with/E).
/P User:perm replaces the access rights for the specified user.
Perm can be: N None
R Read
W Write
C Change (write)
F Full Control
/d user denies access to the specified user.
You can use wildcard characters to specify multiple files in a command.
You can also specify multiple users in the command.
Abbreviation:
CI-Container inheritance.
The ACE is inherited by the directory.
OI-Object inheritance.
Aces are inherited by files.
IO-Inherit only.
The ACE does not apply to the current file/directory.
ID-Inherited.
Aces inherit from the ACL of the parent directory.
ICACLS name/save AclFile [/T] [/C] [l] [/q]
The ACLs for all matching names are stored in AclFile for future use in/restore.
ICACLS directory [/substitute sidold sidnew [...]]/restore aclfile
[/C] [/L] [/Q]
Applies the stored ACL to a file in the directory.
ICACLS Name/setowner User [/T] [/C] [/l] [/q]
Change the owner of all matching names.
ICACLS name/findsid Sid [/T] [/C] [/l] [/q]
Finds all matching names for ACLs that contain explicit mentions of SIDS.
ICACLS name/verify [/T] [/C] [/l] [/q]
Finds all files whose ACL is not canonical or has a length that is inconsistent with the ACE count.
ICACLS Name/reset [/T] [/C] [/l] [/q]
Replace ACLs with default inherited ACLs for all matching files
ICACLS name [/grant[:r] sid:perm[...]
[/deny sid:perm [...]]
[/remove[:g|:d]] sid[...] [/T] [/C] [/L]
[/setintegritylevel level:policy[...]
/GRANT[:R] Sid:perm grant the specified user access rights. If you use: R,
These permissions replace any previously granted explicit permissions.
If you do not use: R, these permissions are added to all previously granted explicit permissions.
/deny Sid:perm explicitly denies the specified user access rights.
An explicit deny ACE is added to the listed permissions.
and remove all permissions that are explicitly granted in the same permissions.
/REMOVE[:[G|D]] SID deletes all occurrences of the SID in the ACL. Use
: g, all permissions granted to the SID are removed. Use
:d, all permissions that deny the SID are removed.
The/setintegritylevel [(CI) (OI)] level explicitly adds the integrity ACE to all
Match the file. The level you want to specify is one of the following levels:
L[ow]
M[edium]
H[igh]
Inheritance options for integrity Aces can take precedence over levels, but apply only to
Directory.
/inheritance:e|d|r
E-Enable inheritance
D-Disable inheritance and copy Aces
R-Remove all inherited Aces
Attention:
SIDs can be in either a numeric format or a friendly name format. If given a number format,
Then, add a * to the beginning of the SID.
/T indicates all matching files/directories in the directory specified by that name
Perform this operation.
/C indicates that this operation will continue on all file errors. The error message will still be displayed.
/L indicates that this operation is performed on the symbolic link itself, not on its target.
/q indicates that ICACLS should suppress the display of success messages.
ICACLS preserves the canonical order of ACE entries:
Explicit Deny
Explicitly grant
Inherited deny
Inherited grants
Perm is a permission mask that can be specified in one of two formats:
Simple permission sequence:
F-Full Access permissions
M-Modify Permissions
RX-Read and Execute permissions
R-read-only permission
W-write-only permission
A comma-delimited list of specific permissions in parentheses:
D-Delete
RC-Read Control
WDAC-Write DAC
WO-Write Owner
S-Sync
As-access system security
MA-Maximum allowable value
GR-General Read
GW-General Write
GE-General execution
GA-All for general
RD-read Data/list directory
WD-Write Data/Add File
AD-Append Data/Add subdirectories
REA-Read Extended Properties
WEA-Write Extended properties
X-Execute/Traverse
DC-Delete Subkey
RA-Read Properties
WA-Write Property
Inherited permissions can take precedence over each format, but apply only to
Directory:
(OI)-Object inheritance
(CI)-Container inheritance
(IO)-Inherit only
(NP)-Do not propagate inheritance
Example:
icacls c:\windows\*/save aclfile/t
-C:\Windows All files in the directory and its subdirectories
The ACL is saved to AclFile.
icacls c:\windows\/restore AclFile
-AclFile within the C:\Windows and its subdirectories will be restored
ACL for all Files
Icacls file/grant Administrator: (D,WDAC)
-the pipe that will be granted to the user to delete and write to the DAC
Manager privileges
Icacls file/grant *s-1-1-0: (D,WDAC)
-the user defined by Sid s-1-1-0 will be granted a file deletion
Permissions in addition to and writing to the DAC
Windows DOS Rights Management