SetObjectSecurity - CMD


The SetObjectSecurity command in Windows CMD is a powerful utility used to modify the security settings of a filesystem object, registry key, or system objects. It is primarily employed to change the Access Control List (ACL) properties, granting or denying user permissions to various system resources. This tool is particularly effective in administrative scripts and security management to ensure proper access controls are consistently enforced.


The basic syntax for using SetObjectSecurity is as follows:

SetObjectSecurity ObjectName Action User Permission
  • ObjectName: This is the path to the object or the name of the object whose security settings you want to set.
  • Action: This can be set to apply new security settings or remove to take away specified permissions.
  • User: Specify the user account that the permissions will apply to.
  • Permission: The type of access to grant or remove (e.g., read, write, full).


SetObjectSecurity does not have a wide range of options, but understanding how to utilize the parameters effectively is crucial:

  • /R: Recursive change. Apply changes to all sub-objects.
  • /Y: Suppress confirmation prompts to allow uninterrupted execution.
  • /L: Operates on a symbolic link itself rather than its target.


Example 1: Setting Full Access

Give user JohnDoe full access to a folder D:\Data:

SetObjectSecurity "D:\Data" set JohnDoe full

Example 2: Removing Write Access

Remove write access for user JohnDoe from D:\Data:

SetObjectSecurity "D:\Data" remove JohnDoe write

Common Issues

  • Permission Issues: Users might encounter permission errors if they don’t have sufficient privileges to change security settings. Running CMD as an administrator can resolve this.
  • Syntax Errors: Incorrect syntax can lead to the command not executing as expected. Carefully check the command structure.
  • Object Not Found: Ensure the path or object name is correct to avoid errors indicating the object cannot be found.


SetObjectSecurity can be integrated with other CMD commands or scripts for comprehensive system administration. For example, combining it with icacls for a full permission audit and modification script:

:: Grant and verify permissions
SetObjectSecurity "D:\Data" set JohnDoe full
icacls "D:\Data" /verify
  • cacls: Older command line tool used to manage ACLs.
  • icacls: Replacement for cacls, used to display or modify discretionary access control lists.

For more details, visit the official Microsoft documentation page for advanced ACL management tools.