The icacls syntax is actually pretty straightforward and relatively easy to learn. Basically, you use the command, then add the file or folder you want to check or manipulate, and then the permission(s) you want to add/change/delete.
Well, as you can see from my example above and screenshot, you certainly can use PowerShell to use the icacls command. You only need to be aware of some environment variables that need to be referenced a little differently.
{ Creating Directories, ACLs, and using the icacls command}
The most intriguing aspect of icacls to me is the robustness of being able to script with this command complicated projects. And, again, not having to worry about the reliability of File Explorer in case it runs into an error, it crashes, things like that.
Not adding the :r, means that permissions are added to any previously granted explicit permissions.[/deny :[...]]Explicitly denies specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.[/remove[:g :d]] [...] [/t] [/c] [/l] [/q]Removes all occurrences of the specified SID from the DACL. This command can also use::g - Removes all occurrences of granted rights to the specified SID.
:d - Removes all occurrences of denied rights to the specified SID.[/setintegritylevel [(CI)(OI)] :[...]]Explicitly adds an integrity ACE to all matching files. The level can be specified as:l - Low
m- Medium
h - High
Inheritance options for the integrity ACE may precede the level and are applied only to directories.[/substitute [...]]Replaces an existing SID (sidold) with a new SID (sidnew). Requires using with the parameter./restore [/c] [/l] [/q]Applies stored DACLs from to files in the specified directory. Requires using with the parameter./inheritancelevel: [e d r]Sets the inheritance level, which can be:e - Enables inheritance
d - Disables inheritance and copies the ACEs
r - Disables inheritance and removes only inherited ACEs
RemarksSIDs may be in either numerical or friendly name form. If you use a numerical form, affix the wildcard character * to the beginning of the SID.
Before you configure Windows ACLs, you must first mount the file share by using your storage account key. To do this, log into a domain-joined device, open a Windows command prompt, and run the following command. Remember to replace , , and with your own values. If Z: is already in use, replace it with an available drive letter. You can find your storage account key in the Azure portal by navigating to the storage account and selecting Security + networking > Access keys, or you can use the Get-AzStorageAccountKey PowerShell cmdlet.
There are times that a user cannot access or modify a file or folder, and one of the reasons would be a lack of user permissions on the object. The icacls command is a command line utility executed to view or modify a file or folder permissions on the Windows file system.
The icacls command can set many granular permissions in file or folder properties in the advanced security settings page. These permissions include allowing or denying specific rights, along with basic read/write permissions.
Perhaps you want to see the existing permissions on a file or folder. If so, a basic icacls command syntax command would suffice. To demonstrate, create a folder and then run icacls to view its permissions, as shown below.
Disable inheritance on this file with icacls by running the command below using the inheritance parameter. The command below is specifying the d argument that disables inheritance and converts inheritance to explicit permissions.
The command below grants full permission (F) to the user (user02) on mydemo folder. But since no inheritance options are specified, icacls grants full permission to the mydemo folder only. Without a specified inheritance option, the default option (OI) will be applied automatically.
The most common task for an admin is to modify the permissions of various objects. The file explorer's Security tab works fine for adjusting a few permissions, but changing a lot of permissions using the file explorer is monotonous and eventually becomes tedious if you happen to do it on a regular basis. What if you could use a built-in command line tool to do that job for you? The icacls utility is built into Windows to help you.
In this article, you will learn how to manage file and folder permissions with the help of icacls. Before diving into the icacls command directly, you should be aware of certain things related to permissions and security in Windows.
The letters in parentheses indicate the short notation you will use with the icacls command when setting a particular permission. For example, to grant test.user a write permission on file1.txt, you will use icalcs as shown below:
Again, the letters in parentheses indicate the short notation you will use with the icacls command when setting permissions with inheritance. You can see that most inheritance attributes apply only to directories. You will learn more about permission types and how inheritance works later in this guide.
In the last example, we saw that the directory name RnD was accessible to SYSTEM, Administrators, and Users only. Anyone else who tries to access this directory will be denied access, since implicit deny is the default behavior of an ACL. If you want to add the special identity Everyone to this ACL and then grant them a Read permission recursively, you can use the icacls command, as shown below:
Note that using special identities, such as Everyone, Authenticated Users, Network Service, etc., with the icacls command only works if the system language is set to English. If you're working on a non-English system, use the SID format to specify such special identities. So, on a non-English system, the above command needs to be used as shown below:
To grant or deny advanced permissions, the syntax of the icacls command is slightly different. For instance, if you want to give the Auditors group the ability to write NTFS permissions, you need to give that group the Write DAC (WDAC) permission. To do that, use the following command:
This happened because we had not yet set the RnD parent directory with inheritable permissions. The /t option is only useful for setting permissions on objects that already exist. But what about objects such as files or directories that will be created in the future? The permissions for such objects will be handled by inheritance. By default, when an ACE is set with the OI permission, it is applied to the files in the directory but not to the subdirectories. In the same way, the ACE set with the CI permission is applied to the subdirectories, but not to the files. Therefore, to obtain a combined result, we need to use both the OI and CI permissions together. Take a look at the following command:
To remove a permission from a user (or group), you just have to remove the corresponding ACE from the object's ACL. Don't forget to disable the inheritance from that object beforehand (if the target is a directory). For instance, to remove the Everyone identity from the dir3 directory, we will use the icacls command, as shown below:
However, if you still want to define a deny permission explicitly, icacls allows you to do that, too. For example, to deny Full Control to the Developers group on the HR directory containing the important records of all the employees, use the following command:
There are situations in which you might want to reset the permissions to default. For example, a junior admin messed up the permissions on a program's directory, which broke its functionality, or a malware attack corrupted the ACL of an important directory. In such cases, you could use icacls with the /reset parameter to reset the permissions to the default. The following command shows how to reset permissions:
One of the coolest features of the icacls command is its ability to export the ACL of an object to a file and then use that backup file to import the ACL back to restore the permissions. This feature is loved by most admins, since it makes the monotonous task of setting permissions very easy. Whenever you have to do a bulk permission change on huge directories, it is recommended to back up the existing permissions with the help of the icacls command so that if something goes wrong, you can restore the permissions.
If you take a closer look, the error itself indicates that icacls is looking for a C:\RnD\RnD directory, which doesn't exist. So, you got an error stating, 'The system cannot find the file specified.' If you open the ACL backup file in a text editor, you will notice that there are references for the relative path to the RnD directory itself. Therefore, you need to carefully type the directory path when using the /restore parameter.
Furthermore, the target directory where you restore the ACL does not necessarily need to be the same. With icacls, you can save the ACL of a container and then restore that ACL to a different container. The following screenshot shows how to do this.
Another important feature you get while restoring the ACL with the icacls command is the /substitute parameter. As the name suggests, you can use this parameter to replace a user (group or SID) with another user. Let's understand this with the help of an example.
Suppose you have a backup of an ACL for a really big file server share. You are going to import the permissions back using the /restore parameter. The problem is that the backup file is slightly old, and it has a grant ACE for an old admin user, John, who is no longer working in the organization. He is now replaced with a new admin user, Mike. The good news is that you can use /restore along with the /substitute parameter to replace John with the new user, Mike, on the fly while restoring the permissions using the icacls command. Since the file shares can be really big, you won't have to spend extra time replacing the outdated users after the ACL is restored. The following command shows how to do this: 2ff7e9595c
Comments