icacls – changing permissions on files and folders.

Update – Excellent Post  How to Handle NTFS Folder Permissions, Security Descriptors and ACLshttp://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx

I was asked about changing permissions from the root of a drive and all sub-folders.  My immediate reaction was to use the Microsoft tool that replaced cacls – icacls.  Apparently the person that came up with the new name  “must” have just received their new iPad. <g>

I remembered a Technet article from a friend Gregg Shields – http://technet.microsoft.com/en-us/magazine/2009.07.geekofalltrades.aspx

“Setting permissions for the Marketing folder is slightly different. We use the same permissions flow for the Product folder as we did for the subfolders under Finance, but the Restricted folder will be treated a bit differently. Let’s suppose that folder contains highly secret documents that should be seen by only a very few individuals. Your first thought may be, “A-ha! Here, I’ll use the Deny permissions to prevent the wrong users from accessing this folder!”
But keep in mind that the Deny permissions is actually far too powerful a setting for most situations as it automatically overrides every other permission. Therefore, adding the Deny permission to the Marketing Users group for this folder means that any Restricted users who are also Marketing users would be shut out. A more appropriate solution here is to break the inheritance again and simply eliminate all permissions for the Marketing Users group. Thus, the three icacls command lines required to set the permissions for this structure are”

Icacls C:\Shared\Marketing /inheritance:r /grant:r “Finance Users”:(OI)(CI)R /grant:r “File Admins”:(OI)(CI)F

Icacls C:\Shared\Marketing\Product /grant:r “Product Users”:(OI)(CI)M

Icacls C:\Shared\Marketing\Restricted /inheritance:r /grant:r “File Admins”:(OI)(CI)F /grant:r “Restricted Users”:(OI)(CI)M

ALSO see –

The Icacls.exe utility that is included with Windows Server 2003 Service Pack 2 does not support the inheritance bit
Hotfix Download Available

Additionally, you can set the inheritance bit of files or folders by using the updated Icacls.exe utility together with the /inheritance parameter. For more information, see the following sample:
e – enables inheritance
d – disables inheritance and copy the ACEs
r – remove all inherited ACEs

So if you are asking yourself WHAT..?  Like I was, here is some more info on the topic.

“Tim asked me to comment on this question.

You’re on the right path. Funny, but I’m actually about to write a three-part series on icacls for TechTarget.

You need to break the inheritance (/inheritance:r) and then reset the new directly-applied permissions (/grant). The new perms then inherit down because you’re using (OI)(CI), which are “object inherit” and “container inherit”.

So, step one: Break inheritance. Step two: directly set new perm. Step three: Enable inheritance. What’s confusing is that these three steps are all being done in a single line.

Does this help?”

/Greg Shields, MVP – Terminal Services

Tips and Tricks for the Jack-of-all-Trades IT Professional


The “single line” threw me for a but until I realized what he meant was.  In your single command line you need to break the inheritance first then you will apply the permissions you want to grant accordingly.

So for example –

Step 1 is the /inheritance:r

Step 2 is the /grant Domain\username

Step 3 is the (OI)(CI) F

Thus –

icacls pathname /inheritance:r /grant Domain\username (OI)(CI) F

F = full

If there are any other permissions that exist you could also remove those in the same command by using the :r switch after the grant command.

icacls pathname /inheritance:r /grant:r Domain\username (OI)(CI) F

Many Thanks to Gregg Shields.  I highly anticipate his to be released three-part series on icacls for TechTarget.

15 Responses to icacls – changing permissions on files and folders.

  1. I found that you have to put a single quote: ‘ around the group and permissions to get this to work. If not, I got the following error:

    The term ‘OI’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, v
    erify that the path is correct and try again.

    So, icacls contract /grant contracts_mod:(OI)(CI)M actually had to be icacls contract /grant ‘contracts_mod:(OI)(CI)M’

    in order to work.

  2. JRV says:

    And, here, I’m seeing that /Grant:R does not remove existing ACEs. WS2008 R2 SP1 & Win7 SP1.

  3. TWG says:

    @JRV – I’m having the same problem trying to get /grant:r to remove existing permissions on Server 2008 non-R2.

    • Tim Bolton says:

      My apologies, as I stated I am not with that company anymore so I will try to test this in a lab when at all possible. I have found a lot of posts on this issue in the last year. I am not sure if something was deprecated or changed causing this to not work as directed.

      You did break the inheritance (/inheritance:r) and then reset the new directly-applied permissions (/grant) correct?

      Again, since I am no longer with that company I really cannot go back to see if it will work or not as the role I currently have does not allow me access to set these settings on any of our servers.

  4. Tim Bolton says:

    It was just confirmed that YES this still applies…

    Please refer to Greg Shields post here for further information which still applies –


  5. asus77x says:

    using this command and found permission is set for folder user01

    icacls \\myserver\userdata\user01 /inheritance:r /grant mydomain\user01:(OI)(CI)F

    but when create subfolder or files under folder user01, it give access denied. root folder userdata is configured with read permission only for group where user01 as member, when set with write access, other users can view folder user01 contents

    any idea why this happen?

  6. […] icacls – changing permissions on files and folders. « Tim Bolton – MCITP – M… – December 28th ( tags: cacls icacls windows access control list ACL DACLs permissions access control files filesystem ) […]

  7. ITGuy says:

    I have a very daunting challenge in front of me. I have a folder that has 400+ directories, each of those directories has 5 more directories inside.

    I need to remove the “Everyone” group from two of those 5 subdirectories.

    Is there anyway to use a WILDCARD such as * to specify ALL folders within a specified directory need to be recursively handled?

    For example:

    Icacls.exe E:\Data\Jobs\Year\*\Correspondence /inheritance:r /grant:r DOMAIN\Everyone (OI)(CI) F

    Notice that I have a * before the Correspondence directory to specify that multiple folders have a Correspondence folder within them and they all need to have the Everyone group removed from their respective Correspondence subdirectories.

    Will this command work?

    If not, is there any simple straight forward way to accomplish this?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: