Relate to: Security, File system, Console

Default location: %WinDir%\System32\icacls.exe

Useful information about: icacls.exe

Version: 6.0.6000.16386 (vista_rtm.061101-2205)

Size: 26624 (26K)

MD5: E28D89D14C60D00A98D05131FDB103A7

Icacls.exe is a tool for working with Access Control Lists (ACL).

Usage:

ICACLS name /save aclfile [/T] [/C] [/L] [/Q]

store the the acls for the all matching names into aclfile for

later use with /restore.

ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile

[/C] [/L] [/Q]

applies the stored acls to files in directory.

ICACLS name /setowner user [/T] [/C] [/L] [/Q]

changes the owner of all matching names.

ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]

finds all matching names that contain an ACL

explicitly mentioning Sid.

ICACLS name /verify [/T] [/C] [/L] [/Q]

finds all files whose ACL is not in canonical for or whose

lengths are inconsistent with ACE counts.

ICACLS name /reset [/T] [/C] [/L] [/Q]

replaces acls with default inherited acls for all matching files

ICACLS name [/grant[: r] Sid:perm[...]]

[/deny Sid: perm [...]]

[/remove[: g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]

[/setintegritylevel Level: policy[...]]

/grant[: r] Sid:perm grants the specified user access rights. With :r,

the permissions replace any previouly granted explicit permissions.

Without : r, the permissions are added to any previously granted

explicit permissions.

/deny Sid: perm explicitly denies the specified user access rights.

An explicit deny ACE is added for the stated permissions and

the same permissions in any explicit grant are removed.

/remove[: [g|d]] Sid removes all occurrences of Sid in the acl. With

: g, it removes all occurrences of granted rights to that Sid. With

: d, it removes all occurrences of denied rights to that Sid.

/setintegritylevel [(CI)(OI)]Level explicitly adds an integrity

ACE to all matching files. The level is to be specified as one

of:

L[ow]

M[edium]

H[igh]

Inheritance options for the integrity ACE may precede the level

and are applied only to directories.

Note:

Sids may be in either numerical or friendly name form. If a numerical

form is given, affix a * to the start of the SID.

/T indicates that this operation is performed on all matching

files/directories below the directories specified in the name.

/C indicates that this operation will continue on all file errors.

Error messages will still be displayed.

/L indicates that this operation is performed on a symbolic link

itself versus its target.

/Q indicates that icacls should supress success messages.

ICACLS preserves the canonical ordering of ACE entries:

Explicit denials

Explicit grants

Inherited denials

Inherited grants

perm is a permission mask and can be specified in one of two forms:

a sequence of simple rights:

F - full access

M - modify access

RX - read and execute access

R - read-only access

W - write-only access

a comma-separated list in parenthesis of specific rights:

D - delete

RC - read control

WDAC - write DAC

WO - write owner

S - synchronize

AS - access system security

MA - maximum allowed

GR - generic read

GW - generic write

GE - generic execute

GA - generic all

RD - read data/list directory

WD - write data/add file

AD - append data/add subdirectory

REA - read extended attributes

WEA - write extended attributes

X - execute/traverse

DC - delete child

RA - read attributes

WA - write attributes

inheritance rights may precede either form and are applied

only to directories:

(OI) - object inherit

(CI) - container inherit

(IO) - inherit only

(NP) - don't propagate inherit

Examples:

icacls c: \windows\* /save AclFile /T

- Will save the ACLs for all files under c: \windows

and its subdirectories to AclFile.

icacls c: \windows\ /restore AclFile

- Will restore the Acls for every file within

AclFile that exists in c: \windows and its subdirectories

icacls file /grant Administrator: (D,WDAC)

- Will grant the user Administrator Delete and Write DAC

permissions to file

icacls file /grant *S-1-1-0: (D,WDAC)

- Will grant the user defined by sid S-1-1-0 Delete and

Write DAC permissions to file

Slow computer? Get rid of a Virus/Trojan/Adware/Spyware/Rootkit? Try RegRun for free. It helps...