icacls list permissions

Using iCACLS to List Folder Permissions and Manage Files

One of the typical tasks for the Windows administrator is to manage NTFS permissions on folders and files on the file system. To manage NTFS permissions, you can use the File Explorer graphical interface (the Security tab in the properties of a folder or file), or the built-in iCACLS command-line utility. In this article we’ll look at the example of using the iCACLS command to view and manage folders and files permissions.


Using iCACLS Command

The iCACLS command allows to display or change an Access Control Lists (ACLs) for files and folders on the file system. The predecessor of the iCACLS.EXE utility is the CACLS.EXE command (was used in Windows XP).

To list current permissions on a specific folder (for example, C:\PS), open a Command prompt and run the command:

icacls c:\PS

This command will return a list of all users and groups who are assigned permissions to this directory. Let’s try to understand the syntax of the permissions returned by the iCACLS command:

c:\PS CORP\someusername:(OI)(CI)(M)





Successfully processed 1 files; Failed processing 0 files

icacls grant

Opposed to each group and the user’s access level is specified. Access rights are indicated using abbreviations. Consider the permissions for the user CORP\someusername. The following permissions are assigned to this user:

  • (OI) — object inherit
  • (CI) — container inherit
  • (M) —  modify access

This means that this user has the rights to write and modify data in this directory. These rights are inherited to all child objects in this directory.

Below is a complete list of permissions that can be set using the icacls utility:

iCACLS inheritance settings:

  • (OI)  —  object inherit
  • (CI)  —  container inherit
  • (IO)  —  inherit only
  • (NP)  —  don’t propagate inherit
  • (I)  — permission inherited from parent container

List of basic access permissions:

  • D  —  delete access
  • F  —  full access
  • N  —  no access
  • M  —  modify access
  • RX  —  read and eXecute access
  • R  —  read-only access
  • W  —  write-only access

Detailed permissions:

  • DE  —  delete
  • RC  —  read control
  • WDAC  —  write DAC
  • WO   — write owner
  • S  —  synchronize
  • AS  —  access system security
  • MA  —  maximum allowed permissions
  • GR  —  generic read
  • GW  —  generic write
  • GE  —  generic execute
  • GA  —  generic all
  • RD  —  read data/list directory
  • WD  —  write data/add file
  • AD  — append data/add subdirectory
  • REA  —  read extended attributes
  • WEA  —  write extended attributes
  • X  —  execute/traverse
  • DC  —  delete child
  • RA  —  read attributes
  • WA  —  write attributes

Using the icacls command, you can save the current ACL on object in a file, and then apply the saved list to the same or other objects (a kind of backup ACL way).

To export the current ACL on the C:\PS folder and save them to the PS_folder_ACLs.txt file, run the command:

icacls C:\PS\* /save c:\temp\PS_folder_ACLs.txt /t

This command saves ACLs not only to the directory itself, but to all subfolders and files. The resulting text file can be opened using notepad or any text editor.

icacls list folder permissions

To apply saved access ACLs (restore permissions), run the command:

icacls C:\PS /restore c:\temp\PS_folder_ACLs.txt

Use iCACLS to Grant Permissions or Change the Access Lists for the Folder

Thus, the process of ACLs transferring from one folder to another becomes much easier.

With the icacls command, you can change the access lists for the folder. For example, you want to grant the user John the permissions to edit the contents of the folder C:\PS. Execute the command:

icacls C:\PS /grant  John:M

You can remove all the permissions of John by using the command:

icacls C:\PS /remove John

Also, you can prevent a user or group of users from accessing a file or folder in the way like this:

icacls c:\ps /deny "NYUsers:(CI)(M)"

Keep in mind that prohibiting rules have a higher priority than allowing rules.

Using the icacls command, you can change the owner of a directory or folder, for example:

icacls c:\ps\secret.docx /setowner John /T /C /L /Q
  • /Q – do not display a success message command;
  • /L – the command is executed directly above the symbolic link, not the specific object;
  • /C – the execution of the command will continue despite the file errors. Error messages will still be displayed;
  • /T – The command is performed for all files and directories that are located in the specified directory.

You can change the owner of all the files in the directory:

icacls c:\ps\* /setowner John /T /C /L /Q

Also with icacls you can reset the current permissions on the file system objects:


icacls command

After executing this command, all current permissions on the file object in the specified folder will be reset and replaced with permissions inherited from the parent object.

You may also like:

Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
Using PsExec to Run Commands Remotely The PsExec is an easy Windows utility to replace the telnet tool. It allows you to run programs and processes on remote systems, using all the feature...
How to Migrate User Profiles with User State Migra... One of the most popular tools to migrate user profiles from one Windows computer to another is the set of CLI utilities – User State Migration Tool (U...
How to Mount Windows Folder into VMware ESXi In this article we will take a look on how to connect a network folder from Windows 2012 R2 Server as a datastore on the VMware ESXi host and use it t...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
  1. Posted by SKS

Add Your Comment