Managing NTFS permissions on folders and files on the file system is one of the typical tasks for a Windows administrator. You can use the File Explorer GUI to view and manage NTFS permissions interface (go to the Security tab in the properties of a folder or file), or the built-in iCACLS command-line tool. In this article, we’ll look at the example of using the iCACLS command to view and manage folder and file permissions on Windows.
Each file or folder on the file system has a special SD (Security Descriptor). Each security descriptor contains two access control lists:
- System Access-Control List (SACL) — managed by Windows and used to provide auditing of file system object access;
- Discretionary Access-Control List (DACL) — contains an ACL (Access Control List) that defines access permissions of an object.
The ACL consists of many entries with three fields:
- SID of the user or group to which access rule applies;
- Access type — read, write, execute, etc.;
- ACE type — Allow or Deny.
How to Show File and Folder Permissions Using the iCACLS Command?
The iCACLS command allows displaying or changing Access Control Lists (ACLs) for files and folders on the file system. The predecessor of the iCACLS.EXE utility is the CACLS.EXE command (which was used in Windows XP).
The complete syntax of the icacls tools and some useful usage examples can be displayed using the command:
icacls.exe /?
To list current NTFS permissions on a specific folder (for example, C:\DOCs\IT_Dept), open a Command prompt and run the command:
icacls C:\DOCs\IT_Dept
This command will return a list of all users and groups who are assigned permissions to this directory. Let’s try to understand the syntax of the permissions list returned by the iCACLS command:
C:\DOCs\IT_Dept CONTOSO\allowUSB:(OI)(CI)(RX)CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CONTOSO\fs01-IT_dept_RW:(OI)(CI)(M)
CONTOSO\fs01-IT_dept_R:(OI)(CI)(RX)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)
Successfully processed 1 files; Failed processing 0 files
The object access permission is specified in front of each group or user. The access permissions are indicated using the abbreviations. Consider the permissions for the security group CONTOSO\fs01-IT_dept_RW. The following permissions are assigned to this user:
- (OI) — object inherit;
- (CI) — container inherit;
- (M) — modify access.
This means that the members of this group have the right to write and modify file system objects in this directory. These NTFS permissions are inherited to all child (nested) objects in this directory.
To view all folder permissions that you’ve got with icacls from the File Explorer GUI:
- Open file or folder properties;
- Navigate to the Permissions tab;
- Press the Advanced button;
- The list of folder permissions that we obtained earlier using the command prompt is listed in the Permissions entries list.
Below is a complete list of permissions that can be set using the icacls utility:
iCACLS inheritance settings:
- (OI) — object inherit;
- (CI) — container inherit;
- (IO) — inherit only;
- (NP) — don’t propagate inherit;
- (I) — permission inherited from the parent container.
List of basic access permissions:
- D — delete access;
- F — full access;
- N — no access;
- M — modify (includes ‘delete’);
- RX — read and execute access;
- R — read-only access;
- W — write-only access.
Detailed permissions:
- DE — delete;
- RC — read control;
- WDAC — write DAC;
- WO — write owner;
- S — synchronize;
- AS — access system security;
- MA — the maximum allowed permissions;
- GR — generic read;
- GW — generic write;
- GE — generic execute;
- GA — generic all;
- RD — read data/list directory;
- WD — write data/add file;
- AD — append data/add subdirectory;
- REA — read extended attributes;
- WEA — write extended attributes;
- X — execute/traverse;
- DC — delete child;
- RA — read attributes;
- WA — write attributes.
If you need to find all the objects in the specified directory and its subdirectories in which the SID of a specific user and group is specified, use the command:
icacls C:\PS /findsid [User/Group_SID_here] /t /c /l /q
Grant and Remove Permissions to a Folder or File with iCACLS
You can change the access lists for the folder using the icacls command. To change an object’s DACL, the user must have write DAC permission (WRITE_DAC — WDAC). At least one user (the owner of the object) has the permission to modify the DACL.
For example, you want to grant the permissions to modify (M) the contents of the folder C:\PS the user John. Execute the command:
icacls C:\PS /grant John:M
To grant Full Control permission for the NYUsers domain group and apply all settings to the subfolders:
icacls "C:\PS" /grant domainname\NYUsers:F /Q /C /T
The following command can be used to grant a user read + execute + delete access permissions to the folder:
icacls E:\PS /grant John:(OI)(CI)(RX,D)
In order to grant read + execute + write access, use the command:
icacls E:\PS /grant John:(OI)(CI)(RX,W)
You can use the built-in group names in the icacls command. For example, Administrators, Everyone, Users, etc. For example:
icacls C:\PS /grant Everyone:F /T
You can remove all the NTFS permissions assigned to John by using the command:
icacls C:\PS /remove John
The /remove option allows you to remove only the Granted or Denied permissions for a specific user or SID:
- /remove:g — remove all granted rights;
- /remove:d — remove all denied right.
Also, you can prevent a user or group of users from accessing a file or folder using the explicitly deny permission in a way like this:
icacls c:\ps /deny "NYUsers:(CI)(M)"
Keep in mind that prohibiting rules have a higher priority than allowing ones.
You can enable or disable permissions on folder/file objects using the /inheritance option of the icacls command.
Three values are available for the inheritance parameter:
- e — enable inheritance;
- d — disable ACE inheritance and copying;
- r — remove all inherited ACEs.
To disable the inheritance permissions on the file system object and copy the current access control list (explicit permissions), run the command list:
icacls c:\PS /inheritance:d
To disable inheritance and remove all inherited permissions, run:
icacls c:\PS /inheritance:r
To enable the inherited permissions on a file or folder object:
icacls c:\PS /inheritance:e
If you need to propagate new permission to all files and subfolders of the target folder without using inheritance, use the command:
icacls "C:\PS\" /grant:r Everyone:(NP)(RX) /T
In this case, no specific permissions on subfolders will be overwritten.
Also, you can environment variable %username% to grant permissions for the currently logged on user:
ICACLS c:\PS /grant %username%:F
In some cases, you may receive the “Access is denied” error when trying to change permissions on a file or folder using the icacls tool. In this case, first, make sure that you are running an elevated cmd prompt (run as an administrator). Since the icacls is not a UAC-aware tool, you won’t see the elevation prompt.
If the error persists, list the current file permissions and make sure your account has the “Change permissions” rights on the file.
Hint. The big disadvantage of the icacls tool is that it doesn’t allow you to get effective NTFS permissions on a file system object. You can use the File Explorer, accesschk tool, or NTFSSecurity PowerShell module to get effective NTFS permissions on files and folders. You can install the NTFSSecurity module from the PowerShell Gallery:
Install-Module -Name NTFSSecurity
To get effective object permissions for a specific user account, run:
Get-NTFSEffectiveAccess -Path C:\PS\myfile.txt -Account samaccountname
Quite a common problem: after copying directories between two drives, you can lose access permission to folders on a target drive. In this case, you can reset NTFS permissions with icacls. The following command will reset all explicit and inherited permissions for all folders and files on drive E:
Icacls.exe E:\* /reset /T
If your version of Windows doesn’t support long paths, you won’t be able to change the permissions for an object if the full path to such an object is longer than 256 characters (with the Destination path too long error). In these cases, instead of using the following icacls command:
ICACLS C:\PS\LongFilePath /Q /C /T /reset
You should use:
ICACLS "\\?\C:\PS\LongFilePath " /Q /C /T /reset
With icacls you can set a high integrity level for a file or folder. Only administrators can access and modify files and folders with a high level of integrity.
icacls C:\PS\myfile.txt /setintegritylevel H
Now the following entry will appear in the ACL of the file:
Mandatory Label\High Mandatory Level:(NW)
After that, even if the user has Full Control access permissions to the file, he will not be able to change it and will receive an Access is denied error.
Note. In addition to the icacls tool, you can manage the NTFS permissions of file system objects using PowerShell. To get the current ACL of an object, use the Get-ACL cmdlet. To change NTFS permissions, use Set-ACL.
Changing Ownership Using ICACLS on Windows
Using the icacls command, you can change the owner of a directory or folder, for example:
icacls c:\ps\secret.docx /setowner John /T /C /L /Q
- /Q — suppress success messages;
- /L — the command is executed directly above the symbolic link, not the specific object;
- /C — the execution of the command will continue despite the file errors. Error messages will still be displayed;
- /T — use the recurse mode (the command is executed against all files and directories that are located in the specified directory and its subdirectories).
You can change the owner of all the files in the directory:
icacls c:\ps\* /setowner John /T /C /L /Q
Also, with icacls you can reset the current permissions on the file system objects:
ICACLS C:\ps /T /Q /C /RESET
After executing this command, all current permissions on the file object in the specified folder will be reset. They will be replaced with permissions inherited from the parent object. This command is equivalent of the “Replace all child permission entries with inheritable permission from this object” option in the Advanced Security settings of a file system object in File Explorer.
Note that the icacls command with the /setowner option doesn’t allow you to forcibly change the file system object ownership. If you are not the current object owner, use the takeown command to take file or folder ownership.
To find out all files with non-canonical ACL or lengths that do not match the number of ACEs, use the /verify parameter.
icacls "c:\test" /verify /T
How to Backup and Restore NTFS ACLs Using ICACLS?
The icacls command allows you to save the ACL of the current object to a plain text file. You can apply the saved permission list to the same or other objects (a kind of way to backup ACLs).
To export the current ACL on the C:\PS folder and save them to the PS_folder_ACLs.txt file, run the command:
icacls C:\PS\* /save c:\temp\PS_folder_ACLs.txt /T
This command saves ACLs not only for the directory itself but also for all subfolders and files. You can open the resulting text file using notepad or any text editor.
To apply saved access ACLs to the target path (restore permissions), run the command:
icacls C:\PS /restore c:\temp\PS_folder_ACLs.txt /T /C /Q
Thus, the process of ACLs transferring from one folder to another (or between hosts) becomes much easier.
Using ICACL in PowerShell Script to Change Permissions
If you need to go down the folder structure and change NTFS permissions only on certain types of files, you can use the ICACL utility. For example, you need to find all files with the “pass” phrase in the name and the *.docx extension in your shared network folder. Also, you want to grant read access to them for the ITSec Active Directory group. You can use the following PowerShell script (don’t forget to change the folder path):
$files = get-childitem "d:\docs" -recurse | Where-Object { $_.Extension -eq ".txt" }foreach($file in $files){if($file -like "*pass*"){$path = $file.FullNameicacls $file.FullName /grant corpITSec:(R)write-host $file.FullName}}You can use icacls in PowerShell scripts to change NTFS permissions on directories on remote computers:
$folder = “c:\Tools”$Grant = “grant:rw”$users = “corp\hepldesk”$permission = “:(OI)(CI)(F) /T”srv_list = @(″server1″,″server2″,″server3″)Invoke-Command -ScriptBlock {Invoke-Expression -Command (‘icacls $initFolder $Grant “${$users}${$permission}”’)} -ComputerName $serversThis script will grant RW permissions to the C:\tools directory for the corp\hepldesk domain security group on three remote servers. This script uses PowerShell remoting to run command on remote computers.
The icacls allows you to manage not only NTFS permissions for file system objects on the local computer, but also permissions for remote file shares.
In order to grant Full Access to the docs folder in the remote computer fssrv01, run the following command:
icacls \\fssrv01\docs /grant bjackson:F
You can also use administrative shares (C$, D$, etc.) to access local files on a remote computer over the network. This means that this command will work as well:
icacls \\fssrv01\d$\docs /grant bjackson:F
Windows
