Using iCACLS to List Folder Permissions and Manage Files

One of the typical tasks for the Windows administrator is to manage NTFS permissions on folders and files on the file system. To manage NTFS permissions, you can use the File Explorer graphical interface (go to the Security tab in the properties of a folder or file), or the built-in iCACLS command-line tool. In this article, we’ll look at the example of using the iCACLS command to view and manage folders and file permissions on Windows.

icacls list permissions

Each file or folder on the file system has a special SD (Security Descriptor). Each security descriptor contains two access control lists:

  • System Access-Control List (SACL) — managed by Windows and used to provide auditing of file system object access;
  • Discretionary Access-Control List (DACL) — contains an ACL (Access Control List) that defines access permissions of an object.

The ACL consists of many entries with three fields:

  • SID of the user or group to which access rule applies;
  • Access type — read, write, execute, etc.;
  • ACE type — Allow or Deny.

How to View File and Folder Permissions Using the iCACLS Command?

The iCACLS command allows displaying or changing Access Control Lists (ACLs) for files and folders on the file system. The predecessor of the iCACLS.EXE utility is the CACLS.EXE command (which was used in Windows XP).

The complete syntax of the icacls tools and some useful usage examples can be displayed using the command:

icacls.exe /?

icacls

To list current NTFS permissions on a specific folder (for example, C:\PS), open a Command prompt and run the command:

icacls c:\PS

This command will return a list of all users and groups who are assigned permissions to this directory. Let’s try to understand the syntax of the permissions list returned by the iCACLS command:

c:\PS CORP\someusername:(OI)(CI)(M)

NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)

BUILTIN\Administrators:(I)(OI)(CI)(F)

BUILTIN\Users:(I)(OI)(CI)(RX)

CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

icacls command

The object access level is specified in front of each group or user. The access permissions are indicated using the abbreviations. Consider the permissions for the user CORP\someusername. The following permissions are assigned to this user:

  • (OI) — object inherit;
  • (CI) — container inherit;
  • (M) —  modify access.

This means that this user has the right to write and modify file system objects in this directory. These NTFS permissions are inherited to all child (nested) objects in this directory.

Below is a complete list of permissions that can be set using the icacls utility:

iCACLS inheritance settings:

  • (OI)  —  object inherit;
  • (CI)  —  container inherit;
  • (IO)  —  inherit only;
  • (NP)  —  don’t propagate inherit;
  • (I)  — permission inherited from the parent container.

List of basic access permissions:

  • D  —  delete access;
  • F  —  full access;
  • N  —  no access;
  • M  —  modify access;
  • RX  —  read and execute access;
  • R  —  read-only access;
  • W  —  write-only access.

Detailed permissions:

  • DE  —  delete;
  • RC  —  read control;
  • WDAC  —  write DAC;
  • WO —  write owner;
  • S  —  synchronize;
  • AS  —  access system security;
  • MA  —  the maximum allowed permissions;
  • GR  —  generic read;
  • GW  —  generic write;
  • GE  —  generic execute;
  • GA  —  generic all;
  • RD  —  read data/list directory;
  • WD  —  write data/add file;
  • AD  — append data/add subdirectory;
  • REA  —  read extended attributes;
  • WEA  —  write extended attributes;
  • X  —  execute/traverse;
  • DC  —  delete child;
  • RA  —  read attributes;
  • WA  —  write attributes.

If you need to find all the objects in the specified directory and its subdirectories in which the SID of a specific user and group is specified, use the command:

icacls C:\PS /findsid [User/Group_SID_here] /t /c /l /q

Use iCACLS to Set Folder’s or File’s Permissions

With the icacls command, you can change the access lists for the folder. To change an object’s DACL, the user must have write DAC permission (WRITE_DAC — WDAC). At least one user (the owner of the object) has the permission to modify the DACL.

For example, you want to grant the permissions to modify (M) the contents of the folder C:\PS the user John. Execute the command:

icacls C:\PS /grant  John:M

To grant Full Control permission for the NYUsers domain group and apply all settings to the subfolders:

icacls "C:\PS" /grant domainname\NYUsers:F /Q /C /T

The following command can be used to grant a user read + execute + delete access permissions to the folder:

icacls E:\PS /grant John:(OI)(CI)(RX,D)

In order to grant read + execute + write access, use the command:

icacls E:\PS /grant John:(OI)(CI)(RX,W)

You can use the built-in group names in the icacls command. For example, Administrators, Everyone, Users, etc. For example:

icacls C:\PS /grant Everyone:F /T

You can remove all the NTFS permissions assigned to John by using the command:

icacls C:\PS /remove John

Also, you can prevent a user or group of users from accessing a file or folder using the explicitly deny in a way like this:

icacls c:\ps /deny "NYUsers:(CI)(M)"

Keep in mind that prohibiting rules have a higher priority than allowing ones.

You can enable or disable permissions on folder/file objects using the /inheritance option of the icacls command.

Three values are available for the inheritance parameter:

  • e — enable inheritance;
  • d — disable ACE inheritance and copying;
  • r — remove all inherited ACEs.

To disable the inheritance permissions on the file system object and copy the current access control list (explicit permissions), run the command list:

icacls c:\PS /inheritance:d

To disable inheritance and remove all inherited permissions, run:

icacls c:\PS /inheritance:r

To enable the inherited permissions on a file or folder object:

icacls c:\PS /inheritance:e

If you need to propagate new permission to all files and subfolders of the target folder without using inheritance, use the command:

icacls "C:\PS\" /grant:r Everyone:(NP)(RX) /T

In this case, no specific permissions on subfolders will be overwritten.

Also, you can environment variable %username% to grant permissions for the currently logged on user:

ICACLS c:\PS /grant %username%:F

In some cases, you may receive the “Access is denied” error when trying to change permissions on a file or folder using the icacls tool. In this case, first, make sure you are running a cmd window with elevated rights (run as an administrator). Since the icacls is not a UAC-aware tool, you won’t see the elevation prompt.

If the error persists, list the current file permissions and make sure your account has the “Change permissions” rights on the file.

Hint. You can use the accesschk tool or NTFSSecurity PowerShell module to get effective NTFS permissions on files and folders. You can install the NTFSSecurity module from the PowerShell Gallery:

Install-Module -Name NTFSSecurity

To get effective object permissions for a specific user account, run:

Get-NTFSEffectiveAccess -Path C:\PS\myfile.txt -Account samaccountname

Quite a common problem: after copying directories between two drives, you can lose access permission to folders on a target drive. In this case, you can reset NTFS permissions with icacls. The following command will reset all explicit and inherited permissions for all folders and files on drive E:

Icacls.exe E:\*   /reset    /T

In the Windows versions without long path support, you cannot change the permissions for an object in the tree if the full file path to such an object is longer than 256 characters (with the Destination path too long error). In these cases, instead of using the following icacls command:

ICACLS C:\PS\LongFilePath /Q /C /T /reset

You should use:

ICACLS "\\?\C:\PS\LongFilePath " /Q /C /T /reset

With icacls you can set a high integrity level for a file or folder. Only administrators can access and modify files and folders with a high level of integrity.

icacls C:\PS\myfile.txt /setintegritylevel H

Now the following entry will appear in the ACL of the file:

Mandatory Label\High Mandatory Level:(NW)

icacls examples

After that, even if the user has Full Control access permissions to the file, he will not be able to change it and will receive an Access is denied error.

Changing Ownership Using ICACLS on Windows

Using the icacls command, you can change the owner of a directory or folder, for example:

icacls c:\ps\secret.docx /setowner John /T /C /L /Q
  • /Q — suppress success messages;
  • /L — the command is executed directly above the symbolic link, not the specific object;
  • /C — the execution of the command will continue despite the file errors. Error messages will still be displayed;
  • /T — the command is performed for all files and directories that are located in the specified directory and its subdirectories.

You can change the owner of all the files in the directory:

icacls c:\ps\* /setowner John /T /C /L /Q

Also, with icacls you can reset the current permissions on the file system objects:

ICACLS C:\ps /T /Q /C /RESET

icacls show permissions

After executing this command, all current permissions on the file object in the specified folder will be reset. They will be replaced with permissions inherited from the parent object.

Note that the icacls command with the /setowner option doesn’t allow you to forcibly change the file system object ownership. If you are not the current object owner, use the takeown.exe command to replace the file or folder ownership.

To find out all files with non-canonical ACL or lengths that do not match the number of ACEs, use the /verify parameter.

icacls "c:\test" /verify /T

Save and Restore NTFS ACLs Using ICACLS

Using the icacls command, you can save the current object’s ACL into a text file. Then you can apply the saved permission list to the same or other objects (a kind of way to backup ACLs).

To export the current ACL on the C:\PS folder and save them to the PS_folder_ACLs.txt file, run the command:

icacls C:\PS\* /save c:\temp\PS_folder_ACLs.txt /t

This command saves ACLs not only to the directory itself but also to all subfolders and files. You can open the resulting text file using notepad or any text editor.

icacls view permissions

To apply saved access ACLs (restore permissions), run the command:

icacls C:\PS /restore c:\temp\PS_folder_ACLs.txt

Thus, the process of ACLs transferring from one folder to another (or between hosts) becomes much easier.

Using ICACL in PowerShell Script to Change Permissions

If you need to go down the folder structure and change NTFS permissions only on certain types of files, you can use the ICACL utility. For example, you need to find all files with the “pass” phrase in the name and the *.docx extension in your shared network folder. Also, you want to grant read access to them for the ITSec domain security group. You can use the following PowerShell script (don’t forget to change the folder path):

$files = get-childitem "d:\docs" -recurse | Where-Object { $_.Extension -eq ".txt" }

foreach($file in $files){

if($file -like "*pass*"){

$path = $file.FullName

icacls $file.FullName /grant corpITSec:(R)

write-host $file.FullName

}

}

You can use icacls in PowerShell scripts to change NTFS permissions on directories on remote computers:

$folder = “c:\Tools”

$Grant = “grant:rw”

$users = “corp\hepldesk”

$permission = “:(OI)(CI)(F) /T”

srv_list = @(″server1″,″server2″,″server3″)

Invoke-Command -ScriptBlock {Invoke-Expression -Command (‘icacls $initFolder $Grant “${$users}${$permission}”’)} -ComputerName $servers

This script will grant RW permissions to the C:\tools directory for the corp\hepldesk domain security group on three remote servers.

In addition to the icacls tool, you can manage the NTFS permissions of file system objects using PowerShell. To get the current ACL of an object, use the Get-ACL cmdlet. To change NTFS permissions, use Set-ACL.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

5 comments

  1. How could I apply the rights to a specific user with the same name as the userfolder?
    Example:
    C:\users\james -> should become Full Access for the domain user “James”
    C:\users\john -> should become Full Access for the domain user “John”

  2. I need to find out why does the output of the command “icacls ~\Desktop” returns as “The sysyem cannot specify the path “

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.