Access List, Microsoft Windows, Security

Modify access control lists on specified files through cmd

Icacls displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.



Parameter Description
<FileName> Specifies the file for which to display DACLs.
<Directory> Specifies the directory for which to display DACLs.
/t Performs the operation on all specified files in the current directory and its subdirectories.
/c Continues the operation despite any file errors. Error messages will still be displayed.
/l Performs the operation on a symbolic link versus its destination.
/q Suppresses success messages.
[/save <ACLfile> [/t] [/c] [/l] [/q]] Stores DACLs for all matching files into ACLfile for later use with /restore.
[/setowner <Username> [/t] [/c] [/l] [/q]] Changes the owner of all matching files to the specified user.
[/findSID <Sid> [/t] [/c] [/l] [/q]] Finds all matching files that contain a DACL explicitly mentioning the specified security identifier (SID).
[/verify [/t] [/c] [/l] [/q]] Finds all files with ACLs that are not canonical or have lengths inconsistent with ACE (access control entry) counts.
[/reset [/t] [/c] [/l] [/q]] Replaces ACLs with default inherited ACLs for all matching files.
[/grant[:r] <Sid>:<Perm>[…]] Grants specified user access rights. Permissions replace previously granted explicit permissions.

Without :r, permissions are added to any previously granted explicit permissions.

[/deny <Sid>:<Perm>[…]] Explicitly denies specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.
[/remove[:g|:d]] <Sid>[…]] [/t] [/c] [/l] [/q] Removes all occurrences of the specified SID from the DACL.

:g removes all occurrences of granted rights to the specified SID.

:d removes all occurrences of denied rights to the specified SID.

[/setintegritylevel [(CI)(OI)]<Level>:<Policy>[…]] Explicitly adds an integrity ACE to all matching files. Level is specified as:

  • L[ow]
  • M[edium]
  • H[igh]

Inheritance options for the integrity ACE may precede the level and are applied only to directories.

[/substitute <SidOld> <SidNew> […]] Replaces an existing SID (SidOld) with a new SID (SidNew). Requires the Directory parameter.
/restore <ACLfile> [/c] [/l] [/q] Applies stored DACLs from ACLfile to files in the specified directory. Require



To save the DACLs for all files in the C:Windows directory and its subdirectories to the ACLFile file, type:

icacls c:windows* /save aclfile /t

To restore the DACLs for every file within ACLFile that exists in the C:Windows directory and its subdirectories, type:

icacls c:windows /restore aclfile

To grant the user User1 Delete and Write DAC permissions to a file named “Test1”, type:

icacls test1 /grant User1:(d,wdac)

To grant the user defined by SID S-1-1-0 Delete and Write DAC permissions to a file, named “Test2”, type:

icacls test2 /grant *S-1-1-0:(d,wdac)