rss logo

Using the Icacls Command in Windows: A Complete Guide with Examples

Microsoft logo

Icacls is a powerful command-line utility in Windows that simplifies the process of managing file and folder permissions. It is especially useful for scripting tasks, allowing administrators to automate the setting, modification, and backup of access control lists (ACLs) efficiently.

Intro

  • OS: Windows Server 2008 minimum
  • ACL: Access Control List
  • ACE: Access Control Entry is an element in an Access Control List (ACL)

Commands

Reset ACL

  • Recover access to a file:
PS C:\Users\Administrator>takeown /A /R /F D:\FOLDER
  • Replaces the ACLs with the default inherited ACLs for all matching files:
    • /T: indicates that this operation is performed on all matching files/directories below the directories specified in the name
    • /C: indicates that this operation will continue on all file errors.
PS C:\Users\Administrator>icacls D:\FOLDER /reset /T /C

Remove all inherited ACEs

  • Remove all inherited ACEs:
PS C:\Users\Administrator>icacls D:\FOLDER /inheritance:r /T /C
  • Note:
    • /inheritancelevel:e: Enables inheritance
    • /inheritancelevel:d: Disables inheritance and copies the ACEs
    • /inheritancelevel:r: Disables inheritance and removes only inherited ACEs

Set ACLs

  • /grant:r, replace permissions previously granted
  • inheritance rights
    • (OI) object inherit
    • (CI) container inherit
    • (IO) inherit only
    • (NP) don't propagate inherit
    • (I) permission inherited from parent container
  • simple rights
    • (RX,W) read + execute and write only access
    • (RX,D) read + execute and delete access
    • (M) read, execute, write, delete and modify access
    • (F) full access
PS C:\Users\Administrator>icacls "D:\FOLDER" /grant:r "domain.local\users":(OI)(CI)(RX,D) "domain.local\Administrator":(OI)(CI)(F) SYSTEM:(OI)(CI)(F) Administrators:(OI)(CI)(F) /T /C

Remove user

  • Remove all occurrences of Sid in the ACL:
PS C:\Users\Administrator>icacls "c:\$Windows.~BT" /remove:g SYSTEM

Add a user with full rights

  • Grants the specified user access rights:
PS C:\Users\Administrator>icacls "c:\$Windows.~BT" /grant users:(OI)(CI)(F)

Deny rights to a user

  • Explicitly denies access rights to the specified user:
PS C:\Users\Administrator>icacls "c:\$WINDOWS.~BT" /deny SYSTEM:(OI)(CI)(F)

Examples

Resetting ACL

  • Recover access to a file with takeown tool:
PS C:\Users\Administrator>takeown /A /R /F E:\Common\TEST
Windows Security Settings showing change of ownership from a user to an Administrators group for a folder in a network environment.
  • Replace ACLs with default inherited ACLs for all matching files:
PS C:\Users\Administrator>icacls E:\Common\TEST /reset /T /C
Windows Security Settings showing the modification of permission entries with inheritance disabled for a folder in a network environment.

Add a User

  • Add a user with read+execute and delete access:
PS C:\Users\Administrator>icacls E:\Common\TEST /grant s.marsh@std.local:(OI)(CI)(RX,D)
Windows folder properties showing permission adjustments for a specific user, granting read, execute, and write access.
  • Add a user with read+execute and write only access:
PS C:\Users\Administrator>icacls E:\Common\TEST /grant b.stotch@std.local:(OI)(CI)(RX,W)
Windows folder properties showing permissions assigned to a specific user, granting modify, read, execute, and write access.

Remove a User

  • Remove a user:
PS C:\Users\Administrator>icacls E:\Common\TEST /remove s.marsh@std.local
Windows folder properties highlighting the selection of a specific user for permission editing.

Permissions

  • Replace permissions:
PS C:\Users\Administrator>icacls E:\Common\TEST /grant:r b.stotch@std.local:(OI)(CI)(RX,D)
Windows folder properties showing updated permissions for a specific user, allowing modify, read, write, and execute access.
  • Denies user access rights:
PS C:\Users\Administrator>icacls E:\Common\TEST /deny b.stotch@std.local:(OI)(CI)(F)
Windows folder properties displaying deny permissions set for a specific user, blocking modify, read, write, and execute access.

Misc

  • Print current permissions:
PS C:\Users\Administrator>icacls E:\Common\TEST
E:\Common\TEST BUILTIN\Administrators:(I)(F)
               CREATOR OWNER:(I)(OI)(CI)(IO)(F)
               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
               BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
               BUILTIN\Users:(I)(OI)(CI)(RX)
               BUILTIN\Users:(I)(CI)(WD,AD)

Successfully processed 1 files; Failed processing 0 files
Command Prompt output of icacls command displaying permissions for a folder, showing administrators and users with specific access rights.

Save/Restore ACL

  • Save the current ACLs to a file:
PS C:\Users\Administrator>icacls E:\Common\TEST /save AclFile /T
processed file: E:\Common\TEST
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Anemia.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Anemia.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Anything_That_You_Want.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Anything_That_You_Want.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Asshole.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Asshole.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Breathless.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Breathless.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Denomia.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Denomia.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Easy_Way.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Easy_Way.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Illusions_And_Witnesses.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Illusions_And_Witnesses.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Impro.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Impro.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Insubstantial_As_Me.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Insubstantial_As_Me.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Last_Tango.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Last_Tango.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Queens_&_Princes.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Queens_&_Princes.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Refund_You.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Refund_You.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Something.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Something.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_The_Elements_Of_A_State.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_The_Elements_Of_A_State.ogg
processed file: E:\Common\TEST\tracks.xml
Successfully processed 30 files; Failed processing 0 files
Command Prompt output of the icacls command saving access control list (ACL) to a file, with the saved file highlighted in the Windows Explorer.
  • Restore ACLs from a file:
PS C:\Users\Administrator>icacls E:\Common\ /restore AclFile /T
processed file: E:\Common\TEST
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Anemia.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Anemia.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Anything_That_You_Want.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Anything_That_You_Want.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Asshole.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Asshole.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Breathless.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Breathless.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Denomia.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Denomia.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Easy_Way.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Easy_Way.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Illusions_And_Witnesses.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Illusions_And_Witnesses.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Impro.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Impro.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Insubstantial_As_Me.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Insubstantial_As_Me.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Last_Tango.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Last_Tango.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Queens_&_Princes.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Queens_&_Princes.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Refund_You.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Refund_You.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Something.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_Something.ogg
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_The_Elements_Of_A_State.mp3
processed file: E:\Common\TEST\The_Dolphins_-_Demo_-_The_Elements_Of_A_State.ogg
processed file: E:\Common\TEST\tracks.xml
Successfully processed 30 files; Failed processing 0 files