Icacls command

Updated: 11/12/2023 by Computer Hope
icacls command at a command line C prompt.

The icacls command enables users to view and modify an ACL. This command is similar to the cacls command available in previous versions of Windows.

Availability

Icacls is an external command and is available for the following Microsoft operating systems as icacls.exe.

Icacls syntax

icacls name /save aclfile [/T] [/C] [/L] [/Q]

Stores the DACLs for the files and folders that match name into aclfile for later use with /restore. Note that SACLs, owner, or integrity labels are not saved.

icacls directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] 
       [/L] [/Q]

Applies the stored DACLs to files in directory.

icacls name /setowner user [/T] [/C] [/L] [/Q]

Changes the owner of all matching names. This option does not force a change of ownership; use the takeown.exe utility for that purpose.

icacls name /findsid Sid [/T] [/C] [/L] [/Q]

Finds all matching names that contain an ACL explicitly mentioning Sid.

icacls name /verify [/T] [/C] [/L] [/Q]

Finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts.

icacls name /reset [/T] [/C] [/L] [/Q]

Replaces ACLs with default inherited ACLs for all matching files.

icacls name [/grant[:r] Sid:perm[...]] [/deny Sid:perm [...]] [/remove[:g|:d]] [Sid[...]] [/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy[...]]
/grant[:r] Sid:perm Grants the specified user access rights. With :r, the permissions replace any previously granted explicit permissions. Without :r, the permissions are added to any previously granted explicit permissions.
/deny Sid:perm Explicitly denies the specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.
/remove[:[g|d]] Sid Removes all occurrences of Sid in the ACL. With :g, it removes all occurrences of granted rights to that Sid. With :d, it removes all occurrences of denied rights to that Sid.
/setintegritylevel [(CI)(OI)]Level

Explicitly adds an integrity ACE to all matching files. The level is to be specified as one of:
L[ow]
M[edium]
H[igh]

Inheritance options for the integrity ACE may precede the level, and are applied only to directories.

/inheritance:e|d|r e - Enables inheritance.
d - Disables inheritance and copy the ACEs.
r - Removes all inherited ACEs.
Note

Sids may be in either numerical or friendly name form. If a numerical form is given, prefix the Sid with an asterisk (*).

/T Indicates that this operation is performed on all matching files/directories below the directories specified in the name.
/C Indicates that this operation continues on all file errors. Error messages are still be shown.
/L Indicates that for any symbolic links encountered, this operation is to be performed on the symbolic link itself, rather than its target.
/Q Indicates that icacls should suppress success messages.

ICACLS preserves the canonical ordering of ACE entries:

  • Explicit denials.
  • Explicit grants.
  • Inherited denials.
  • Inherited grants.

The permission mask perm can be specified as a sequence of simple rights:

  • N: no access.
  • F: full access.
  • M: modify access.
  • RX: read and execute access.
  • R: read-only access.
  • W: write-only access.
  • D: delete access.

Alternatively, perm may be specified as a comma-separated list of specific rights, enclosed in parentheses:

  • DE: delete.
  • RC: read control.
  • WDAC: write DAC.
  • WO: write owner.
  • S: synchronize.
  • AS: access system security.
  • MA: maximum allowed.
  • GR: generic read.
  • GW: generic write.
  • GE: generic execute.
  • GA: generic all.
  • RD: read data/list directory.
  • WD: write data/add file.
  • AD: append data/add subdirectory.
  • REA: read extended attributes.
  • WEA: write extended attributes.
  • X: execute/traverse.
  • DC: delete child.
  • RA: read attributes.
  • WA: write attributes.

Inheritance rights may precede either form, and are applied only to directories:

  • (OI): object inherit.
  • (CI): container inherit.
  • (IO): inherit only.
  • (NP): don't propagate inherit.
  • (I): permission inherited from parent container.

Icacls examples

icacls c:\windows\* /save ACLfile /T

Save the ACLs for all files under c:\windows and any of its subdirectories to ACLfile.

icacls c:\windows\ /restore ACLfile

Restore the ACLs for every file within ACLfile that exists in c:\windows, and in any of its subdirectories.

icacls file /grant Administrator:(D,WDAC)

Will grant the user Administrator the Delete and Write DAC permissions to file.

icacls file /grant *S-1-1-0:(D,WDAC)

Grant the user defined by sid S-1-1-0 the Delete and Write DAC permissions to file.