iCACLS - CMD

Overview

The iCACLS command in Windows Command Prompt is used to display or modify Access Control Lists (ACLs) of files and directories. Its primary purpose is to manage file and directory permissions, allowing administrators to control access rights for users and groups. This command is most effective in scenarios involving the automation of permission management, debugging access issues, and securing sensitive information in a Windows environment.

Syntax

The basic syntax of the iCACLS command is as follows:

icacls <FileName> [options]
  • <FileName>: Specifies the file or directory to modify or display ACLs for. Supports wildcards for specifying multiple files.

Variations

icacls <FileName> /grant[:r] <User>:<Permission>
icacls <FileName> /remove[:g] <User>
icacls <FileName> /deny <User>:<Permission>
icacls <FileName> /setowner <Owner>
icacls <FileName> /save <ACLfile> [/t]
icacls <FileName> /restore <ACLfile>

Options/Flags

  • /grant[:r]: Grants specified user access permissions. Append :r to replace existing permissions instead of adding to them.
  • /remove[:g]: Removes specified user’s access permissions. Append :g to remove only specified permissions, otherwise all permissions for the user are removed.
  • /deny: Explicitly denies specified permissions for a user, overriding any other permissions.
  • /setowner: Changes the owner of a file or directory to the specified user or group.
  • /save: Saves the ACLs of the specified files and directories to a file.
  • /restore: Applies saved ACLs to files in a directory.
  • /t: Operates on files and directories in the specified directory and all subdirectories.
  • /c: Continues the operation despite any file errors. Error messages will still be displayed.
  • /l: Performs operations on a symbolic link itself rather than its target.

Examples

Grant Read and Write Permissions to a User:

icacls C:\path\to\file.txt /grant JohnDoe:(R,W)

Remove All Permissions for a User:

icacls C:\path\to\folder /remove JaneDoe

Deny Write Access to a User:

icacls C:\path\to\file.txt /deny JohnDoe:(W)

Recursively Save ACLs to a File:

icacls C:\path\to\folder /save C:\acls.txt /t

Restore ACLs from a File:

icacls C:\path /restore C:\acls.txt

Common Issues

  • Permission Denied Error: Ensure you are running the command prompt as an administrator to modify ACLs.
  • Syntax Errors: Double-check command syntax, as missing colons or incorrect formatting can cause failures.
  • File Not Found: The specified file or folder might not exist or the path is incorrect. Verify the path’s correctness.

Integration

iCACLS can be integrated with batch scripts to automate the setup or teardown of permissions. For instance, using iCACLS within a deployment script to set the necessary permissions on log directories and files.

Example of a batch script managing permissions:

@echo off
icacls "C:\Program Files\MyApp" /grant Users:(OI)(CI)(F) /t
echo Permissions Set.
pause
  • CACLS: An older version of iCACLS with fewer features.
  • XCACLS: Adds more features to CACLS, but is not as robust as iCACLS.
  • TAKEOWN: Allows an administrator to take ownership of a file or directory, often used in conjunction with iCACLS.

For additional information, consult the official Microsoft documentation on iCACLS.