Using iCACLS to List Folder Permissions and Manage Files

One of the typical tasks for the Windows administrator is to manage NTFS permissions on folders and files on the file system. To manage NTFS permissions, you can use the File Explorer graphical interface (go to the Security tab in the properties of a folder or file), or the built-in iCACLS command-line utility. In this article we’ll look at the example of using the iCACLS command to view and manage folders and files permissions.

icacls

How to List File and Folder Permissions Using the iCACLS Command?

The iCACLS command allows to display or change an Access Control Lists (ACLs) for files and folders on the file system. The predecessor of the iCACLS.EXE utility is the CACLS.EXE command (was used in Windows XP).

To show current NTFS permissions on a specific folder (for example, C:\PS), open a Command prompt and run the command:

icacls c:\PS

This command will return a list of all users and groups who are assigned permissions to this directory. Let’s try to understand the syntax of the permissions returned by the iCACLS command:

c:\PS CORP\someusername:(OI)(CI)(M)

NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)

BUILTIN\Administrators:(I)(OI)(CI)(F)

BUILTIN\Users:(I)(OI)(CI)(RX)

CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

icacls command

The resource access level is specified in front of each group or user. The access permission are indicated using the abbreviations. Consider the permissions for the user CORP\someusername. The following permissions are assigned to this user:

  • (OI) — object inherit;
  • (CI) — container inherit;
  • (M) —  modify access.

This means that this user has the rights to write and modify file system objects in this directory. These rights are inherited to all child objects in this directory.

Below is a complete list of permissions that can be set using the icacls utility:

iCACLS inheritance settings:

  • (OI)  —  object inherit;
  • (CI)  —  container inherit;
  • (IO)  —  inherit only;
  • (NP)  —  don’t propagate inherit;
  • (I)  — permission inherited from parent container.

List of basic access permissions:

  • D  —  delete access;
  • F  —  full access;
  • N  —  no access;
  • M  —  modify access;
  • RX  —  read and eXecute access;
  • R  —  read-only access;
  • W  —  write-only access.

Detailed permissions:

  • DE  —  delete;
  • RC  —  read control;
  • WDAC  —  write DAC;
  • WO   — write owner;
  • S  —  synchronize;
  • AS  —  access system security;
  • MA  —  maximum allowed permissions;
  • GR  —  generic read;
  • GW  —  generic write;
  • GE  —  generic execute;
  • GA  —  generic all;
  • RD  —  read data/list directory;
  • WD  —  write data/add file;
  • AD  — append data/add subdirectory;
  • REA  —  read extended attributes;
  • WEA  —  write extended attributes;
  • X  —  execute/traverse;
  • DC  —  delete child;
  • RA  —  read attributes;
  • WA  —  write attributes.

If you need to find all the objects in the specified directory and its subdirectories in which the SID of a specific user and group is specified, use the command:

icacls C:\PS / findsid [User/Group_SID_here] /t /c /l /q

Save and Restore NTFS ACLs Using ICACLS

Using the icacls command, you can save the current object’s ACL into a text file, and then apply the saved permission list to the same or other objects (a kind of backup ACL way).

To export the current ACL on the C:\PS folder and save them to the PS_folder_ACLs.txt file, run the command:

icacls C:\PS\* /save c:\temp\PS_folder_ACLs.txt /t

This command saves ACLs not only to the directory itself, but to all subfolders and files. The resulting text file can be opened using notepad or any text editor.

icacls examples

To apply saved access ACLs (restore permissions), run the command:

icacls C:\PS /restore c:\temp\PS_folder_ACLs.txt

Thus, the process of ACLs transferring from one folder to another becomes much easier.

Use iCACLS to Grant/Modify Folder’s or File’s Permissions

With the icacls command, you can change the access lists for the folder. For example, you want to grant the user John the permissions to edit the contents of the folder C:\PS. Execute the command:

icacls C:\PS /grant  John:M

To grant the NYUsers domain group a Full Control permission and apply all setting to the subfolders:

icacls "C:\PS" /grant domainNYUsers:F /Q /C /T

You can remove all the permissions of John by using the command:

icacls C:\PS /remove John

Also, you can prevent a user or group of users from accessing a file or folder using the explicitly deny in the way like this:

icacls c:\ps /deny "NYUsers:(CI)(M)"

Keep in mind that prohibiting rules have a higher priority than allowing ones.

You can enable or disable permissions on folder/file objects using the /inheritance option of the icacls command. To disable the inheritance permissions on the file system object and copy current access control (explicit permissions), run the command list:

icacls c:\PS /inheritance:d

To disable inheritance and remove all inherited permissions, run:

icacls c:\PS /inheritance:r

To enable the inherited permissions on file or folder object:

icacls c:\PS /inheritance:e

In some cases, you may receive the “Access is denied” error when trying to change permissions on a file or folder using the icacls tool. In this case, first make sure that you run cmd window with elevated rights (run as administrator). Since the icacls is not UAC-aware tool, you won’t see the elevation request.

If the error persists, list the current file permissions and make sure that your account has the “Change permissions” rights on the file.

Changing Ownership Using ICACLS on Windows

Using the icacls command, you can change the owner of a directory or folder, for example:

icacls c:\ps\secret.docx /setowner John /T /C /L /Q
  • /Q – do not display a success message command;
  • /L – the command is executed directly above the symbolic link, not the specific object;
  • /C – the execution of the command will continue despite the file errors. Error messages will still be displayed;
  • /T – The command is performed for all files and directories that are located in the specified directory and its subdirectories.

You can change the owner of all the files in the directory:

icacls c:\ps\* /setowner John /T /C /L /Q

Also with icacls you can reset the current permissions on the file system objects:

ICACLS C:\ps /T /Q /C /RESET

icacls grant

After executing this command, all current permissions on the file object in the specified folder will be reset and replaced with permissions inherited from the parent object.

Note that the icacls command with the /setowner option doesn’t allow you to forcibly change the file system object ownership. If you do not the object current owner, use the takeown.exe command to replace the file or folder owner.

To find out all files with non-canonical ACL or lengths that do not match the number of ACEs, use the /verify parameter.

icacls "c:\test" /verify /T

Using ICACL in PowerShell Script to Change Permissions

If you need to go down the folder structure and change NTFS permissions only on a certain types of files, you can use the ICACL utility in your PowerShell scripts. For example, you need to find all files with the “pass” phrase in the name and the *.docx extension in your shared network folder and grant read access to them for the ITSec domain security group. You can use the following PowerShell script (don’t forget to change the folder path):

$files = get-childitem "d:\docs" -recurse | Where-Object { $_.Extension -eq ".txt" }

foreach($file in $files){

if($file -like "*pass*"){

$path = $file.FullName

icacls $file.FullName /grant corpITSec:(R)

write-host $file.FullName

}

}
Cyril Kardashevsky

3 comments

  1. How could I apply the rights to a specific user with the same name as the userfolder?
    Example:
    C:\users\james -> should become Full Access for the domain user “James”
    C:\users\john -> should become Full Access for the domain user “John”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.