Icacls: The Ultimate Guide

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

The Icacls command is a Windows utility that allows you to view and modify the permissions of files, folders, registry keys or other objects in your system. The syntax for this tool can be quite complicated with many switches but luckily we are here today to show you how easy it is with our handy guide!.

The “icacls /grant examples” is a command-line tool that can be used to alter permissions on files and folders. The “icacls” command has many options, but the “icacls /grant” option allows users to grant access to a file or folder.

Icacls: The Ultimate Guide

If you’re using Windows File Explorer to check and update file permissions, you’ll have to browse around and open/change permissions for each file and folder. If you just need to change a few of permissions, this method will suffice. However, suppose you need to identify and update permissions for a folder containing a hundred or more files. Allow the icacls command to be the answer.

You’ll learn how to use the icacls command to read, save, and restore file and folder permissions in this article.

Let’s get this party started!

Prerequisites

Step-by-step directions are included in this lesson. Make sure you have the following items in order to follow along:

What is the icacls Command and How Does It Work?

A user may be unable to access or alter a file or folder for a variety of reasons, one of which is a lack of user permissions on the object. The icacls command is a command line program that may be used to inspect or change the permissions of a file or folder on the Windows file system.

However, before you use the icacls command to change file and folder permissions, you must first understand Access Control Lists (ACL). An ACL in this context refers to a set of rights granted to a user or group on an item in the NTFS file system.

An Access Control Item is the name given to each entry in an ACL (ACE). Permissions are stored in ACEs, together with information on how permissions are passed down to child objects. To safeguard computers from unwanted access, NTFS permissions are in place.

How To Use PowerShell To Manage NTFS Permissions

In the advanced security settings page, the icacls command may specify various granular permissions in file or folder properties. Allowing or refusing particular privileges, as well as fundamental read/write permissions, are all part of these permissions.

To see the advanced permissions of a file or folder, go to:

1. Open File Explorer and right-click on a file or folder to bring up the context menu.

Getting to the Properties of a File or Folder Getting to the Properties of a File or Folder

2. Click on the Security tab —> Advanced to access the file or folder’s advanced security settings.

Getting to Advanced Security Options Getting to Advanced Security Options

You’ll notice a Permissions tab in the advanced view, along with each ACE that makes up the ACL for that file system object.

3. To open the Permission Entry dialog box, double-click any ACE in the list.

Viewing a Permission Entry's Permissions Viewing a Permission Entry’s Permissions

4. Next, select the Show advanced permissions link to see all of the various permissions that have been assigned to that item.

Getting a Glimpse of the Basic Permissions Getting a Glimpse of the Basic Permissions

All advanced rights to give or reject a user ID for a file or folder are shown below.

Getting a Glimpse of Advanced Permissions Getting a Glimpse of Advanced Permissions

Using the icacls Basic Command Syntax

Now that you’ve learned how to use the icacls command from the command line, you can examine and adjust file/folder permissions without having to mouse around.

To effectively alter file and folder permissions, the icacls command allows various flags and arguments, but let’s start with a simple icacls command syntax.

To examine the default output of the icacls command, open a command prompt and type it as-is. All of the switches and arguments are shown by default in the icacls command’s help information, which may be seen below.

Viewing icacls command's default output Viewing the default output of the icacls command

You may wish to check the permissions on a file or folder. If that’s the case, a simple icacls command syntax command will suffice. To see how this works, create a folder and then run icacls to see the permissions on it, as shown below.

# Create Folder1 create Folder1 as a new folder. # icacls Folder1 icacls Folder1 icacls Folder1 icacls Folder1 icacls Folder1 icacls Fold

The ACL allocated to the object is returned by icacls; in this example, the Folder folder has all of the ACEs within. BUILTINAdministrators and NT AUTHORITYSYSTEM user IDs have full (F) rights with object inheritance (OI) and container inheritance (CI) as seen below (CI).

On the other hand, the BUILTINUsers user ID indicates that the local user group on the PC has object inheritance (OI) and container inheritance (CI), as well as read and execute access. (RX)

Finally, the authenticated users group has modify-level (M) access with object inheritance (OI) and container inheritance (CI) enabled, as shown by the two NT AUTHORITYAuthenticated Users user IDs.

Using the Icacls command to view folder permissions Using the Icacls command to view folder permissions

ACLs for Files and Folders may be saved and restored.

Changing file and folder permissions is a delicate process; one mistake might jeopardize user or group access. The good news is that you can save an ACLfile using the icacls command. The ACLs of your files and folders are stored in an ACL file.

To show how to save and restore ACLs, create a folder named C:TempFolder1 and execute the instructions below to save all rights for that folder.

1. Use the icacls command to back up your files and folders’ ACLs (c:TempFolder1) recursively (/T) and save them (/save) in a file (C:Folder1ACL).

# Create a new folder called Folder1 using the command md c:TempFolder1. # Save the permissions for folder1 to a file called Folder1ACL icacls c: TempFolder1 /save c:Folder1ACL /T TempFolder1 /save c:Folder1ACL /T

You can see that you’ve successfully established a new folder and stored its ACLs in an ACL File in the screenshot below. Using the dir command, verify that the ACL file (Folder1ACL) exists.

The icacls command saves folder permissions to an ACL file. The icacls command saves folder permissions to an ACL file.

2. Go to Folder1’s advanced security settings, just as you did before. By selecting the Add button below, you may add a new user to the folder permissions.

Adding New User to Folder's Permissions Adding a New User to the Permissions of a Folder

3. Click the Select a principal option below to add a user or group to Folder1’s permissions. In the pop-up box, type the user or group ID to add, then click Check Names. When you’ve discovered the user or group ID, click OK.

Selecting User or Group ID to Add to the Folder1's Permissions Adding a User or Group ID to the Permissions of Folder1

4. Check the Complete control option and click OK to provide the new user full rights to Folder1.

Providing the New User with Full Permission Providing the New User with Full Permission

User02 is added to Folder1’s permissions and given complete access, as seen below.

Adding a User to Folder1 with Full Permissions Adding a User to Folder1 with Full Permissions

5. Now that you’ve altered the folder’s rights, use the ACL file you created previously to restore the original permissions.

You’re restoring (/restore) Folder1’s ACLs that you stored in a File (Folder1ACL) in the directory using the command below (c:).

icacls /restore c:Folder1ACL c:Temp

Changing the permissions on a folder Changing the permissions on a folder

6. Finally, check Folder1’s advanced security settings to see whether the original permissions have been restored.

The Usre02 you previously inserted has been deleted, indicating that the ACL file’s original permissions have been restored.

Folder1 rights have been restored. Folder1 rights have been restored.

Adding Permissions to a File and Folder for a User

Now that you’ve mastered the fundamental syntax of the icacls command, it’s time to set up some basic permissions on a file and folder. The icacls command uses switches to enable you to give, deny, or delete permissions from a file or folder. Let’s have a look at how these switches work.

You may be unable to open or change a file or folder. In such situation, you may use the /grant switch to provide the user the necessary permissions.

The command below will give a user (user01) full rights (F) on the myfile.txt file.

An Active Directory (AD) or local group name may be used instead of the userid (user01).

user01:F icacls myfile.txt /grant

Giving permission to a user on a folder differs from giving permission to a user on a file.

The command below will provide a user (user01) read access (R) on the MyFolder folder.

user01:R icacls Folder1 /grant

In the icacls command, the output of the grant switch is shown. In the icacls command, the output of the grant switch is shown.

You may also use the icacls command to give a file or folder specific rights. You’re giving a user (user01) on a folder (/grant) delete (D) and read data/list directory (RD) rights (Folder1).

user02: icacls Folder1 /grant (D,RD)

You must use parenthesis when using specific permissions (such as RD, as illustrated below).

Grant switch output with advanced settings shown Grant switch output with advanced settings shown

Permissions to a File and Folder are Denied to a User

It’s possible that you’ll wish to expressly restrict a user or group access to a file or folder. The /deny switch may be used to do this.

With the following commands, you may deny full rights to a single user on a file and a folder. User01 will be unable to access the MyFile.txt file or the MyFolder folder using the instructions below.

# icacls MyFile.txt /deny user01: Deny (/deny) full rights (F) on a file (MyFile.txt) for a user (user01) icacls MyFile.txt /deny user01: F # icacls MyFolder /deny user01: Deny (/deny) full rights (F) for a user (user01) on a folder (MyFolder) (F)

User Permissions on a File and Folder Can Be Removed

You may wish to delete all of a user’s rights on a file or folder. Use the /remove switch in conjunction with the icacls command in that scenario.

The scripts below remove all permissions on a file and folder for user01. When the instructions are finished, user01 will no longer be able to read or alter the myfile.txt text file or the Folder1 folder.

# All rights for user01 have been removed from myfile.txt. user01 icacls myfile.txt /remove # icacls Folder1 /remove user01 removing all of user01’s permissions

Integrity Levels for Securing Files and Folders

All objects in Windows, including files, folders, registry entries, running processes, and user sessions, have an integrity level in addition to permissions.

Any object with a security descriptor may be given an integrity level. An integrity level may provide more limited rights for less trustworthy objects, even if a user has full access on a file or folder.

In the table below, you’ll find a list of integrity levels that you may assign to a Windows object.

Name of the Integrity Level Explanation Example
Untrusted Untrusted processes are those that start up on their own. Edge and Chrome, for example, start their update procedures automatically. They’ve been labeled as untrustworthy.
Low Integrity is severely hampered. Low-integrity processes can’t write to the registry and have extremely restricted access to files and directories. The integrity level of Internet Explorer in protected mode is poor.
Medium The majority of the items will have this degree of integrity. This medium integrity level is assigned to standard or non-admin users. Objects that aren’t identified as low or high will default to a medium integrity level.  
High Admins have a high degree of integrity by default. Admins may use this to deal with things with high integrity, as well as objects with medium and low integrity. Processes that were launched with the “Run as Administrator” option or with elevated privileges.
System Windows OS files and essential services have this integrity level given to them. Windows services that execute as a local, network, or NT authoritysystem service.
Installer The integrity level of the installer is the highest of all the integrity levels. Objects with the installer integrity level may remove other objects since their integrity level is almost comparable to that of the High integrity level.  

Perhaps you want to know what integrity level each Windows process on your machine is configured to. If that’s the case, open Microsoft Process Explorer, right-click on any column heading, and choose Columns from the menu that appears, as shown below.

Now, tick the Integrity Level option in the Select Columns pop-up box to add the Integrity column to the table list, then click OK.

The Integrity column will display in the process table list’s right-most section, where you’ll view each of the process’ integrity levels.

Viewing Processes' Integrity Levels Viewing the Integrity Levels of Processes

Allowing Non-Admin Users to Make Changes to a File or Folder

When you want to prevent other users from altering a file or folder, put a high integrity level on that file or folder. Only administrators have access to and may edit high-integrity files and folders.

Let’s look at how the icacls command works to establish the integrity level.

1. With the following commands, create a text file in the current directory and set the file’s integrity level to high.

# Create a text file named demo.txt in the current directory echo . > demo.txt # Run icacls command to set the text file’s (demo.txt) integrity level to high (H) icacls demo.txt /setintegritylevel H

Changing a file's integrity level Changing a file’s integrity level

2. Run the following command to check the file’s integrity level. You have complete access to the file, but the file’s integrity level is set to high, as seen below.

Verifying File's Integrity Level Verifying the Integrity of a File

3. Switch to a non-admin user on your PC to verify the file’s integrity, then use the following command to add text to the text file.

echo “Adding text to demo file” >> demo.txt

You will get an error message stating that access is forbidden. You can only alter the file using a user account from the administrator group, even though you have full access to it.

When changing a file with a high integrity level, you get an access denied message. When changing a file with a high integrity level, you get an access denied message.

Disabling Inheritance Limits File and Folder Modification

By default, files and folders inherit the permissions of their parent folder. When creating a new folder or file, you may wish to prevent granting people needless access. One method to address this issue is to disable inheritance.

To deactivate inheritance, you don’t need to be an administrator, but you should have full access to the object.

When you create the folder C:myfoldertestdata, which inherits rights from the parent folder C:myfolder, this is an example of inheritance.

View the permissions of any file in your Desktop folder in File Explorer to understand inheritance and the impact of deactivating it. Permissions will look like the ones shown below. It’s worth noting that the file’s permissions are inherited from its parent directories.

Before modifying inheritance, it's a good idea to check the file's advanced permissions. Before modifying inheritance, it’s a good idea to check the file’s advanced permissions.

Run the command below with the inheritance option to disable inheritance on this file using icacls. The d parameter in the following command disables inheritance and changes inheritance to explicit rights.

# icacls /Desktop/Myfile.txt /inheritance:d icacls /Desktop/Myfile.txt /inheritance:d icacls /Desktop/Myfile.txt /inheritance:d icacls /Desktop/Myfile

Using the inheritance argument, you may provide e to allow inheritance and r to deactivate and delete all instances of inherited ACEs from the object, e.g.,/inheritance:e or /inheritance:r.

When inheritance is disabled, icacls changes each inheritance ACE to an explicit permit, as seen below (inherited from none).

Explicit Permissions and Inherited Permissions Explicit Permissions and Inherited Permissions

After re-enabling the file’s inheritance, you may wish to remove those specific permissions. You may accomplish this by either manually deleting the permissions or resetting the file’s inheritance. When the file’s inheritance is reset, all permissions are removed, and the file inherits the permissions of the parent folder.

The following program resets (/reset) the inheritance of a file (demo.txt) while suppressing success notifications (/q) and disregarding errors (/c).

demo.txt /q /c /reset icacls

Resetting the Inheritance of Files Resetting the Inheritance of Files

Permissions Granting and Denying at Different Inheritance Levels

The NTFS file system is a hierarchical structure of folders, with each folder having a parent and, in certain cases, a child folder. There are several “levels” in that structure. Inheritance may also be specified at each “level.” You may establish inheritance on C:, Folder, and Subfolder, for example, if you have a path like C:FolderSubfolder.

When you use icacls to put a permission on a folder, it sets that folder’s inheritance to propagate permissions to its subfolders. But what if you simply want to apply a certain permission to a folder without allowing inheritance to its subfolders?

The command below gives the user (user02) full permission (F) on the mydemo folder. However, since there are no inheritance choices mentioned, icacls only provides full access to the mydemo folder. If no inheritance choice is given, the default option (OI) will be applied automatically.

user02: icacls mydemo /grant (F)

Perhaps you wish to give a user access with a certain inheritance. In such situation, use the command below.

You’re providing (/grant) read-only access (R) to a user (user02) for the mydemo folder’s files and subfolders (OI) below (CI).

user02:(OI)(CI) icacls mydemo /grant (R)

The options for setting the level of inheritance for a file or folder are shown below:

  • This folder and files are affected by OI (Object Inheritance). There will be no inheritance or subfolder propagation.
  • This directory and its subfolder are affected by Container Inheritance.
  • Does not apply to the current file or directory. IO – Inherit Only
  • (OI)(CI) – This folder, subfolders, and files are affected.
  • (OI)(CI)(IO) – Only affects subfolders and files.
  • (CI)(IO) – This only applies to subfolders.
  • (OI)(IO) — Only applies to files.

Changing a File Share’s Permissions

You’ve learnt how to change permissions on your local PC so far. icacls, on the other hand, can adjust permissions on remote files, while there is no direct means to do so.

You must enter the complete path of the file on the remote PC when modifying permissions, as shown below. To grant access for other users, you need also have permissions on the actual folder, file, and share path.

On a text file (c$temptestfile.txt), you’re either giving (/grant) or refusing (/deny) full permission (F) to a user (user02) from a distant PC (\win10vm2).

icacls /grant user02:F icacls /grant user02:F icacls /grant user02:F icacls /grant user02:F icacls /grant user02:F icacls /grant user02:F icacls /grant user02:F icacls /grant user02: icacls /deny user02:F icacls /deny user02:F icacls /deny user02:F icacls /deny user02:F icacls /deny user02:F icacls /deny user02:F icacls /deny user02:F icacls /deny user02:

Conclusion

You’ve learned how to use the icacls command to set up permissions ranging from basic to sophisticated during this tutorial. You’ve also learnt how save the ACLs of your files and folders in an AclFile as a backup in case altering permissions fails.

How would you choose to handle file and folder permissions now that you have this newfound knowledge? Locally? Remotely? Or a hybrid of the two?

Icacls is a command-line tool that allows users to control access permissions for files and folders. This tool has been around since Windows NT 3.1, but it has seen a lot of use in recent years as more people are using Linux and Mac OS X. Reference: icacls subfolders.

Related Tags

  • icacls f
  • icacls this folder, subfolders and files
  • icacls full control
  • icacls read-only
  • icacls meaning