MS-DOS and Windows command line icacls command
Icacls is an external command and is available for the following Microsoft operating systems as icacls.exe.
icacls name /save aclfile [/T] [/C] [/L] [/Q]
Stores the DACLs for the files and folders that match name into aclfile for later use with /restore. Note that SACLs, owner, or integrity labels are not saved.
icacls directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] [/L] [/Q]
Applies the stored DACLs to files in directory.
icacls name /setowner user [/T] [/C] [/L] [/Q]
Changes the owner of all matching names. This option does not force a change of ownership; use the takeown.exe utility for that purpose.
icacls name /findsid Sid [/T] [/C] [/L] [/Q]
Finds all matching names that contain an ACL explicitly mentioning Sid.
icacls name /verify [/T] [/C] [/L] [/Q]
Finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts.
icacls name /reset [/T] [/C] [/L] [/Q]
Replaces ACLs with default inherited ACLs for all matching files.
icacls name [/grant[:r] Sid:perm[...]] [/deny Sid:perm [...]] [/remove[:g|:d]] [Sid[...]] [/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy[...]]
|/grant[:r] Sid:perm||Grants the specified user access rights. With :r, the permissions replace any previously granted explicit permissions. Without :r, the permissions are added to any previously granted explicit permissions.|
|/deny Sid:perm||Explicitly denies the specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.|
|/remove[:[g|d]] Sid||Removes all occurrences of Sid in the ACL. With :g, it removes all occurrences of granted rights to that Sid. With :d, it removes all occurrences of denied rights to that Sid.|
Explicitly adds an integrity ACE to all matching files. The level is to be specified as one of:
Inheritance options for the integrity ACE may precede the level, and are applied only to directories.
|/inheritance:e|d|r||e - Enables inheritance.
d - Disables inheritance and copy the ACEs.
r - Removes all inherited ACEs.
Sids may be in either numerical or friendly name form. If a numerical form is given, prefix the Sid with an asterisk (*).
|/T||Indicates that this operation is performed on all matching files/directories below the directories specified in the name.|
|/C||Indicates that this operation continues on all file errors. Error messages are still be shown.|
|/L||Indicates that for any symbolic links encountered, this operation is to be performed on the symbolic link itself, rather than its target.|
|/Q||Indicates that icacls should suppress success messages.|
ICACLS preserves the canonical ordering of ACE entries:
- Explicit denials.
- Explicit grants.
- Inherited denials.
- Inherited grants.
The permission mask perm can be specified as a sequence of simple rights:
- N: no access.
- F: full access.
- M: modify access.
- RX: read and execute access.
- R: read-only access.
- W: write-only access.
- D: delete access.
Alternatively, perm may be specified as a comma-separated list of specific rights, enclosed in parentheses:
- DE: delete.
- RC: read control.
- WDAC: write DAC.
- WO: write owner.
- S: synchronize.
- AS: access system security.
- MA: maximum allowed.
- GR: generic read.
- GW: generic write.
- GE: generic execute.
- GA: generic all.
- RD: read data/list directory.
- WD: write data/add file.
- AD: append data/add subdirectory.
- REA: read extended attributes.
- WEA: write extended attributes.
- X: execute/traverse.
- DC: delete child.
- RA: read attributes.
- WA: write attributes.
Inheritance rights may precede either form, and are applied only to directories:
- (OI): object inherit.
- (CI): container inherit.
- (IO): inherit only.
- (NP): don't propagate inherit.
- (I): permission inherited from parent container.
icacls c:\windows\* /save ACLfile /T
Save the ACLs for all files under c:\windows and any of its subdirectories to ACLfile.
icacls c:\windows\ /restore ACLfile
Restore the ACLs for every file within ACLfile that exists in c:\windows, and in any of its subdirectories.
icacls file /grant Administrator:(D,WDAC)
Will grant the user Administrator the Delete and Write DAC permissions to file.
icacls file /grant *S-1-1-0:(D,WDAC)
Grant the user defined by sid S-1-1-0 the Delete and Write DAC permissions to file.