Полезное‎ > ‎CMD‎ > ‎

icacls

iCACLS.exe (2003 sp2, Vista)

Change file and folder permissions - display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS

Syntax (files)
      ICACLS FileName [/grant[:r] User:Permission[...]]
         [/deny User:Permission[...]]
            [/remove[:g|:d]] User[...]]
               [/t] [/c] [/l] [/q]
                  [/setintegritylevel Level[...]]
 
Syntax (Store acls for all matching names into aclfile 
         for later use with /restore)
      ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
    
Syntax (restore folder) 
      ICACLS directory [/substitute SidOld SidNew [...]]
          /restore aclfile [/C] [/L] [/Q]
 
Syntax (Change Owner)
      ICACLS name /setowner user [/T] [/C] [/L] [/Q]
 
Syntax (Find items with an ACL that mentions a specific SID)  
      ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
 
Syntax (Find files whose ACL is not in canonical form or 
         with a length inconsistent with the ACE count.)
      ICACLS name /verify [/T] [/C] [/L] [/Q]
 
Syntax (Replace ACL with default inherited acls for all matching files)
      ICACLS name /reset [/T] [/C] [/L] [/Q]
 
Key
   
   /T  Traverse all subfolders to match files/directories. 
   
   /C  Continue on file errors (access denied)  Error messages are still displayed.
  
   /L  Perform the operation on a symbolic link itself, not its target.
 
   /Q  Quiet - supress success messages.
	
   /grant :r user:permission 
       Grant access rights, with :r, the permissions
       will replace any previouly granted explicit permissions.
       Otherwise the permissions are added.
 
   /deny user:permission
       Explicitly deny the specified user access rights.
       This will also remove any explicit grant of the 
       same permissions to the same user.
 
   /remove[:[g|d]] User 
       Remove all occurrences of User from the acl. 
	    :g remove all granted rights to that User/Sid.
	    :d remove all denied rights to that User/Sid.
 
    /setintegritylevel [(CI)(OI)]Level 
       Add an integrity ACE to all matching files. 
       level is one of L,M,H (Low Medium or High)
	   
       A Directory Inheritance option for the integrity ACE may precede the level:
          /inheritance:e|d|r
             e - enable inheritance
             d - disable inheritance and copy the ACEs 
             r - remove all inherited ACEs
 
   user   A user account, Group or a SID

/restore Apply the acls stored in ACLfile to the files in directory permission is a permission mask and can be specified in one of two forms: a sequence of simple rights: F - full access M - modify access RX - read and execute access R - read-only access W - write-only access a comma-separated list in parenthesis of specific rights: D - delete RC - read control WDAC - write DAC WO - write owner S - synchronize AS - access system security MA - maximum allowed GR - generic read GW - generic write GE - generic execute GA - generic all RD - read data/list directory WD - write data/add file AD - append data/add subdirectory REA - read extended attributes WEA - write extended attributes X - execute/traverse DC - delete child RA - read attributes WA - write attributes inheritance rights may precede either form and are applied only to directories: (OI) - object inherit (CI) - container inherit (IO) - inherit only (NP) - don't propagate inherit

Unlike many other command-line tools, iCACLS correctly preserves the canonical ordering of ACE entries:
Explicit denials
Explicit grants
Inherited denials
Inherited grants

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.

Using iCACLS

  • To edit a file you must already have the "Change" ACL (or be the file's owner)
  • To use the iCACLS command to change the permissions of a file requires "FULL Control" (or be the file's owner)
  • File "Ownership" will always override all ACL's - you always have Full Control over files that you create.

Inherited folder permissions are displayed as:

 OI - Object inherit    - This folder and files. (no inheritance to subfolders)
 CI - Container inherit - This folder and subfolders.
 IO - Inherit only      - The ACE does not apply to the current file/directory
 
These can also be combined as folllows:
 (OI)(CI)	    This folder, subfolders, and files.
 (OI)(CI)(IO)	Subfolders and files only.
     (CI)(IO)  Subfolders only.
 (OI)    (IO)	Files only. 

So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Fullcontrol)
similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)

When cacls is applied to the current folder only there is no inheritance and so no output.

Bugs

You can’t break existing inheritance of permissions with icacls, for that you need XCACLS.vbs.

In Windows Server 2003 SP2 there is a bug when attempting to use the /setowner switch, which returns “Access denied”.
A limited release hotfix is available to resolve this issue (Q947870) alternatively use SUBINACL
nb this bug is NOT present on Vista SP1 or Windows Server 2008.

Examples:

To backup the ACLs of every file in a directory type:

icacls * /save Myacl_backup.txt

Restore ACLS using a previously saved acl file:

icacls /restore Myacl_backup.txt

Change the Integrity Level (IL) of a file to High:

icacls MyReport.doc /setintegritylevel H

Grant the group FileAdmins Delete and Write DAC permissions to Sales_Folder:

icacls Sales_Folder /grant FileAdmins:(D,WDAC)

Propagate a new permission to all files and subfolders, without using inheritance:
(so if any of the subfolders contain specific permissions, those won't be overwritten)

icacls * /grant accountName:(NP)(RX) /T

"Whether a pretty woman grants or withholds her favours, she always likes to be asked for them" - Ovid (Ars Amatoria)

Related:

ATTRIB - Display or change file attributes
AccessEnum - GUI to browse a tree view of user privs
CACLS - Change file permissions
DIR /Q - Display the owner for a list of files (try it for Program files)
PERMS - Show permissions for a user
FIXACLS - Restore default privs (Resource Kit supplement 2)
FSUTIL - File System Options
NTRIGHTS - Edit user account rights
SHOWACL - Show file Access Control Lists (Windows 2000)
TAKEOWN - Take ownership of shares
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders
Q919240 - Icacls is available for Windows Server 2003 SP2
Q834721 - Permissions on Folder are incorrectly ordered
Q943043 - Icacls.exe does not support inheritance
Q245031 - Change Registry Permissions (RegIni)
Q220167 - Understanding Container Access Inheritance Flags
Permissions explained
ACL utils: SetACL or FileACL (free)
Equivalent bash command (Linux): chmod / chown - Change file permissions/owner and group

Comments