ICACLS
Feature Windows 10 Windows 7

ICACLS – How To Use It To Master NTFS Permissions Management?

Have trouble with managing NTFS permissions on files and folders? Struggle with ICACLS command-line tool? Here we are to lend you a hand. Stay tuned!

ICACLS
How to use ICACLS to monitor the NTFS permissions?

ACL, or Access Control List, is a list of permissions for access on a file system or a folder. The list defines who manages the object’s security and how outsiders can get access to it.

ICACLS, or cacls (Change Access Control Lists), is a command-line tool. The utility allows users to show operations on ACL for files and other directories. 

Besides, you can look for files with specific owners and perform “save and restore” operations on files and folders. In brief, this powerful tool provides users with the ability to conduct loads of ACL-related operations.

A Windows administrator typically has to list and manage NTFS permissions for directories and folders on the file system. Basically, one of the most common and optimal ways to deal with the task is to take advantage of the built-in ICACLS tool.

This post will show you how to use the ICACLS command to manage file and folder permissions. Home users can follow our guide to cope with such complicated permission structures. Let’s get started!

ICACLS: How To Set And Manage File & Folder Permissions

View File and Folder Permissions Using ‘ICACLS.exe.’

To view who is currently able to get access to a file, you can use ‘ICACLS.exe’, whose predecessor is cacls.exe. This utility allows displaying Access Control Lists for files and directories on the file system.

If your folder is named C:\LS, for instance, open a command shell and use the command: ICACLS c:\LS. The list of users granted permissions to that folder will instantly show up. The full return is:

c:\LS CORP\someusername:(OI)(CI)(M)

NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)

BUILTIN\Administrators:(I)(OI)(CI)(F)

BUILTIN\Users:(I)(OI)(CI)(RX)

CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 file; Failed processing 0 files

What does the syntax of the return mean? First, the level of resource access is identified right in front of users. The top line of the return, CORP\someusername, indicates who has permission for access. That user, or group, is assigned the following right:

  • OI: object inherit
  • CI: container inherit
  • M: modify access

In short, those NTFS permissions give the user mentioned authority to write and modify all child objects in this folder.

Next, you have a detailed permission list, which can be set via the ICACLS tool:

ICACLS inheritance settings:

  • OI:  object inherit
  • CI:  container inherit
  • IO:  inherit only
  • NP:  don’t propagate
  • I: permission inherited from the parent folder.

Basic access permissions:

  • D: delete access
  • F: full access
  • N:  no access
  • M:  modify access
  • RX:  read and execute access
  • R:  read-only access
  • W:  write-only access.

In case you want to search for all the child objects and subdirectories (SID) in a specific folder, run the command:

ICACLS C:\LS /findsid [User/Group_SID_here] /t /c /l /q

Grant NTFS Permissions Of A File Or Folder

For example, only the user Jack can access the file. Now we want to give permissions to edit its contents to the Lily user. Let’s change the access lists performing the command:

ICACLS C:\LS /t /grant Lily:F

In the above case, we have inserted the option /t implying recursive and F implying full access. That means we granted full control permission for the user.

You can use the internally fixed group names ( Administrators, Everyone, etc.) in the ICACLS utility when executing the command, like this:

ICACLS C:\LS /grant Users:F /T

Similarly, you can get rid of all Lily’s permission using the cmd:

ICACLS C:\LS /remove Lily

Preventing outsiders from getting access to a folder via the “deny” command: ICACLS c:\ls /deny “NYUsers:(CI)(M)”. Please remember that forbidding rules is prior to allowing ones.

Should you want to create a new sort of permission to all subdirectories and subfolders of the parent folder, run the cmd:

ICACLS “C:\LS\” /grant:r Everyone:(IO)(RC) /T

What’s more, you can specify changeable %username% to assign authority for the logged-on users:

ICACLS c:\LS /grant %username%:F:

Sometimes, you may get the response “access is denied”. Actually, that is a common error, often occurring when users try to change the access right of a folder on the ICACLS command-line tool.

To solve the issue, you first need to check if you execute a command with boosted rights (as an administrator). The elevation request won’t pop up because ICACLS is not a UAC-aware utility.

Should the error still exist, check through all current folder permissions. Your account may not have the right to “Change permissions” on the folder.

Use ICACLS To Take and Change Ownership On Windows

ICACLS is a native Windows utility, running on Win Vista, Win 7, Win 8, and Win 10. What if a study made in the year 2018 was stored on an external hard disk? Of course, you need to recover it. The problem is you don’t have a full right to do so.

As you open the file, you’ll see an alert message.

Don’t worry! One solution is to take advantage of ICACLS’s reset function. Please pay attention to the steps below:

  • Turn on the administrator mode
  • Open the command monitor
  • Move to the file, perform the following reset command:

ICACLS * /t /q /c /reset, the response will be “access is denied”.

  • Become the owner using takeown command:

$> takeown / R / F *

Then these lines will appear on your screen.
  • Click “Yes”, you now have the ACL reset.
Its permission state is currently as above.

If you intend to take ownership of a folder, use the syntax:

takeown /f <foldername>

or:

takeown /f <foldername> /a

/a: Ownership is given to the Administrators. If /a is not clearly specified, the currently logged-on user will receive the ownership. This parameter does not include case sensitivity.

You’ll see the output:

SUCCESS: The file (or folder): “folder_name” now owned by user “computername\username”

or:

SUCCESS: The file (or folder): “folder_name” is now owned by the group of administrators.

What’s more, you can change a folder’s ownership (covers the ownership of all subfolder and files inside) by running the syntax:

takeown /f <foldername> /r /d y

The active-now user becomes the folder’s owner.

Plus, use the /a switch to grant the folder’s ownership to the Administrator group recursively:

TAKEOWN /F <foldername> /a /r /d y

/R Recurse: directs the tool to run on files in the identified folders and all subfolders.

/D prompt Default answer typed when the logged-on user doesn’t have permission to access a folder. This happens when operating recursively (/R) on sub-folders. Valid values “Y” to take ownership or “N” to skip.

Use ICACLS To Change Permissions In PowerShell Script

Should you need to change the NTFS permissions only for certain sorts of files, you can go to the folder structure and use the ICACLS tool. Let’s take this case as an instance: You want to look for all directories consisting of the “past” phrase in the name and the *.docx extension in the shared network file. At the same time, you need to assign them the “read” access for the ITSec group. You can use the PowerShell Script below:

$files = get-childitem “d:\docs” -recurse | Where-Object { $_.Extension -eq “.txt” }

foreach($file in $files){

if($file -like “*pass*”){

$path = $file.FullName

ICACLS $file.FullName /grant corpITSec:(R)

write-host $file.FullName

}

}

In addition, in PowerShell scripts, ICACLS can also function as a way of changing NTFS permissions on remote computers:

$folder = “c:\Tools”

$Grant = “grant:rw”

$users = “corp\helpdesk”

$permission = “:(OI)(CI)(F) /T”

srv_list = @(″server1″,″server2″,″server3″)

Invoke-Command -ScriptBlock {Invoke-Expression -Command (‘ICACLS $initFolder $Grant “${$users}${$permission}”’)} -ComputerName $servers

Save And Restore NTFS Permissions Using ICACLS

More importantly, ICACLS is also considered a precautionary measure in the circumstance that an ACL is accidentally lost, deleted, or damaged. Indeed, controlling the permission lists on file server folders is quite tiresome.

From time to time, we may pay no heed to directory or folder permissions. As we manage to access a specified file, we get no result since the right to do so is lost.

Moreover, imprecise changes to the root level of the file may result in unexpected results as individual permissions on subordinate files and folders are forcefully changed. Also, we might run software that works in the wrong way, especially for the permission problem.

Besides, what if we need to open a file, but the permission was from an old computer? Even when the file wasn’t created with another user, we still can’t access it.

In all those events, ICACLS command utility is of great assistance.

Owing to remarkable changes of permissions (moving, system’s update, or resource migration) on an NTFS directory, we advise users to back up earlier permissions. This act allows you to turn back to the original settings or check the previous access permissions to a specific folder.

First, you save the ACL of the object in a text file. Then you can adopt the saved authority list to a similar or another object. Run the following cmd to export the current ACL on the veteran folder, for example, and backup them to veteran_ntfs_perms.txt file:

ICACLS g:\veteran /save veteran_ntfs_perms.txt /t /c

The file’s current permissions are saved by default to the new folder.

The exporting process may take a long time, depending on the number of directories and files. Once your command is successfully executed, the statistics will be displayed like this: Successfully processed 2560 files; Failed processing 0 files.

Plus, the good news is that users are able to restore the lost NTFS permissions using ICACLS. The basic way is by resetting the ACL and setting default access permissions or inheriting those from the parent. The more convenient method is to perform cmd below:

ICACLS g:\ /restore veteran_ntfs_perms.txt /t /c

Please note that during the importing process, you should identify the path to the container, not the directory name.

Again, once all NTFS permissions are recovered, the same statistics show up on the screen: Successfully processed 2560 files; Failed processing 0 files.

Bottom Line

Managing NTFS permissions used to be a tedious yet difficult job with the Windows UI. However, the arrival of ICACLS has been making the task a breeze. It’s literally a lifesaving utility, giving millions of real-world customers a hand to deal with complex permission structures.

We believe our guide can assist you greatly in getting the hang of the ICACLS command-line tool and working on your Windows. By spending 20 minutes trying to understand it, you can save for yourself numberless hours in the future. Why not?

Maybe you are interested in

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top