ICACLS

(from Integrity Change Access Control Lists)

ICACLS is a powerful tool for managing and modifying NTFS permissions (access control) on files and directories. It was introduced in Windows Vista to replace the CACLSCACLS command and offers more advanced features: in particular, the ability to manage integrity levels.

Syntax to store DACLs (discretionary access control lists) for files and directories corresponding to the specified ones for later use with /RESTORE, without saving owners, integrity labels, and SACLs (security access control lists):

ICACLS names /SAVE acl_file [/T] [/C] [/L] [/Q]

Where (see below):

  • names - Specifies one or more files or directories for which you want to save DACLs.
  • /SAVE acl_file - Specifies the name of the file in which to store DACLs associated with names.

 

Syntax to apply stored DACLs to files and subdirectories in the specified directory:

ICACLS directory [/SUBSTITUTE old_sid new_sid [...]] /RESTORE acl_file [/C] [/L] [/Q]

Where (see below):

  • directory - Specifies the directory to which files and subdirectories you want to apply the archived DACLs.
  • /SUBSTITUTE old_sid new_sid [...] - Replaces files or directories security ID old_sid with new_sid.
  • /RESTORE acl_file - Specifies the name of the file in which the DACLs are stored.

 

Syntax to change the owner for matching names, without forcing the owner change:

ICACLS names /SETOWNER user [/T] [/C] [/L] [/Q]

Where (see below):

  • names - Specifies one or more files or directories whose owner you want to change.
  • /SETOWNER user - Specifies the username of the new owner.

 

Syntax to find all matching names that contain an ACL (access control list) associated with a specified SID (security identifier):

ICACLS names /FINDSID sid [/T] [/C] [/L] [/Q]

Where (see below):

  • names - Specifues one or more files or directories to scan.
  • /FINDSID sid - Specify the SID for which you want to get the ACL.

 

Syntax to find all files whose ACLs are not in canonical form or whose lengths are inconsistent with the number of access control entries:

ICACLS names /VERIFY [/T] [/C] [/L] [/Q]

Where (see below):

  • names - Specifies one or more files or directories on which to perform the operation.

 

Syntax to restore default inherited ACLs in all matching files.

ICACLS names /RESET [/T] [/C] [/L] [/Q]

Where (see below):

  • names - Specifies one or more files or directories on which to perform the operation.

 

Syntax to set or change access rights (i.e. permissions or authorizations) for specified files:

ICACLS names [/GRANT[:R] sid:perm [...]] [/DENY sid:perm [...]] [/REMOVE[:G|:D] sid [...]] [/T] [/C] [/L] [/Q] [/SETINTEGRITYLEVEL [(CI)][(OI)]level] [/INHERITANCE{:E|:D|:R}]

Where (see below):

  • names - Specifies one or more files or directories for which to manipulate access rights.
  • /GRANT[:R] sid:perm [...] - Specifies one or more security IDs associated with users and the permissions to grant in the ACL. With :R, the permissions replace any previously granted permissions. By default, new permissions are added to the old ones.
  • /DENY sid:perm [...] - Specifies one or more security IDs associated with users and the permissions to deny. A specific access control entry is associated with the denied permission (i.e., it is not a simple absence of permission).
  • /REMOVE[:G|:D] sid [...] - Specifies one or more security IDs associated with the users whose permissions in the ACL you want to revoke. :G refers to granted permissions and :D refers to denied permissions.
  • /SETINTEGRITYLEVEL [(CI)][(OI)]level - Adds an integrity access control entry to all matching files. Instead of level, specify:
    • L - Low;
    • M - Medium;
    • H - High.
    Instead, (CI) and (OI) are options that allow you to change the type of inheritance of directories.
  • /INHERITANCE{:E|:D|:R} - Specifies whether to take directory inheritance into account in the operation.
    • :E - Enable inheritance;
    • :D - Disable inheritance, thus copying access control entries;
    • :R - Removes all inherited access control entries.

For all ICACLS functions, the SID can be expressed in numeric form or as a name. If the numeric form is used, an asterisk * will be required at the beginning of the SID. Additionally:

  • /T - Extends the operation to all files and subdirectories in the specified directories.
  • /C - Continues the operation even if errors occur, which will still be displayed.
  • /L - Performs the operation on the symbolic link rather than the file or directory it refers to.
  • /Q - Hides messages about successful operations.
  • perm - Authorization mask that can be specified in two different ways.
    Sequence of simple access rights (basic permissions):
    • N - No permission;
    • F - Full access;
    • M - Modify permission;
    • RX - Read and execute permission;
    • R - Read permission;
    • W - Write permission;
    • D - Delete permissino.
    Comma-delimited list of specific access rights in parentheses (advanced permissions):
    • DE - Erasure;
    • RC - DAC reading (discretionary access controls, i.e. can read permissions);
    • WDAC - DAC writing (can change permissions);
    • WO - Writing owner (becomes owner);
    • S - Synchronization;
    • AS - Access system security;
    • MA - Maximum rights that can be granted;
    • GR - Generic read;
    • GW - Generic write;
    • GE - Generic execution;
    • GA - All generic access rights;
    • RD - Reading data/directory list;
    • WD - Writing data/adding files;
    • AD - Adding data/adding subdirectories;
    • REA - Reading extended attributes;
    • WEA - Writing extended attributes;
    • X - Execution/Transit (the latter is the right to traverse/open the directory);
    • DC - Deleting children (i.e. deleting subdirectories and files, if their attributes allow it);
    • RA - Reading attributes;
    • WA - Writing attributes.
    Both forms can be preceded by inheritance rights, applicable only to directories:
    • (OI) - Object inheritance: Objects in this container will inherit this access control entry;
    • (CI) - Container inheritance: Containers within this container will inherit this access control entry;
    • (IO) - Inheritance only: Access control entries are inherited from the parent container, but are not applied to the object itself;
    • (NP) - Do not propagate inheritance: Access control entries for containers and objects are inherited from the parent container, but do not propagate to nested containers;
    • (I) - Permission inherited from parent container.

Note that the command preserves the canonical ordering of access control entries: explicit denials, explicit permissions, inherited denials, inherited permissions.

Examples:

1. Save the ACLs for all files in the path C:\muzic and its subdirectories in the file pippo9.

icacls C:\muzic\* /save pippo9 /t

 

2. Restore ACLs for files specified in pippo9 and existing in C:\muzic and subdirectories.

icacls c:\muzic\ /restore pippo9

 

3. Grant the GalacticMegadirector user DAC write and delete rights to the megacompany.txt file.

icacls megacompany.txt /grant GalacticMegadirector:(DE,WDAC)

 

Further information:

You can quickly find your username from the USERNAME environment variable (see ECHOECHO):

echo %username%

Comments

Post a Comment