Icacls: The Ultimate Guide in Managing File Permissions

Published:11 August 2021 - 12 min. read

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

If you’re checking and changing file permissions via something like Windows File Explorer, you must click around and open/change permissions for each file and folder. This approach is fine if you need to modify a permission or two. But perhaps you want to determine and change permissions for a hundred files or more in a folder. Let the icacls command be the solution.

In this tutorial, you will learn everything about how the icacls command allows you to read, save, restore file and folder permissions.

Let’s get started!

Prerequisites

This tutorial comprises step-by-step instructions. To follow along, be sure you have the following in place:

Learning What icacls Command is and How it Works

There are times that a user cannot access or modify a file or folder, and one of the reasons would be a lack of user permissions on the object. The icacls command is a command line utility executed to view or modify a file or folder permissions on the Windows file system.

But before you get into changing file and folder permissions with the icacls command, you must first understand Access Control Lists (ACL). In this context, an ACL contains a list of a user or a group’s permissions on an object within the NTFS file system.

Each entry in an ACL is called an Access Control Entry (ACE). ACEs contain permissions and details about how child objects inherit these permissions. NTFS permissions are in place to protect systems from unauthorized access.

The icacls command can set many granular permissions in file or folder properties in the advanced security settings page. These permissions include allowing or denying specific rights, along with basic read/write permissions.

To see a file or folder’s advanced permissions:

1. Open File Explorer, right-click on a file or folder, and choose Properties from the context menu.

Accessing File or Folder Properties
Accessing File or Folder Properties

2. Click on the Security tab —> Advanced to access the file or folder’s advanced security settings.

Accessing Advanced Security Settings
Accessing Advanced Security Settings

In the advanced view, you’ll see a Permissions tab along with each ACE that makes up the ACL for that file system object.

3. Double-click on any ACE in the list to bring up the Permission Entry dialog box.

Viewing Permissions of a Permission Entry
Viewing Permissions of a Permission Entry

4. Now, click on the Show advanced permissions link to dive deep into all of the individual permissions set on that object.

Viewing Basic Permissions
Viewing Basic Permissions

Below, you can see all the advanced permissions to grant or deny a user ID for a file or folder.

Viewing Advanced Permissions
Viewing Advanced Permissions

Running the Basic icacls Command Syntax

Now that you understand all of the clicking involved to view and change file/folder permissions let’s now learn how to use the command-line using the icacls command.

The icacls command accepts many switches and parameters to change file and folder permissions successfully, but let’s start with running a basic icacls command syntax.

Open a command prompt and enter the icacls command as-is to see its default output. You can see below the icacls command’s help information with all the switches, and parameters are displayed by default.

Viewing icacls command's default output
Viewing icacls command’s default output

Perhaps you want to see the existing permissions on a file or folder. If so, a basic icacls command syntax command would suffice. To demonstrate, create a folder and then run icacls to view its permissions, as shown below.

# Make a new folder named Folder1
md Folder1

# Checking permissions of the folder named Folder1
icacls Folder1

icacls returns the ACL assigned to the object; in this case, the Folder folder includes all of the ACEs inside. Below, you can see that BUILTIN\Administrators and NT AUTHORITY\SYSTEM user IDs have full (F) permissions with the object inheritance (OI) and container inheritance (CI).

The BUILTIN\Users user ID, on the other hand, indicates the local user group on the PC has object inheritance (OI) and container inheritance (CI) enabled, along with the read and execute access. (RX)

Lastly, the two NT AUTHORITY\Authenticated Users user IDs indicate that the authenticated users group has modify-level (M) access with object inheritance (OI) and container inheritance (CI) enabled.

Viewing folder permissions with Icacls command
Viewing folder permissions with Icacls command

Saving and Restoring Files and Folders’ ACLs

Changing file and folder permissions is a sensitive task; one wrong move could mess up user access or group access. The good news is that the icacls command allows you to save an ACLfile. An ACL File contains your files and folders’ ACLs.

To demonstrate how to save and restore ACLs, let’s first create a folder called C:\Temp\Folder1 and save all permissions for that folder by running the commands below.

1. Run the icacls command below to recursively (/T) back up your files and folder’s ACLs (c:\Temp\Folder1) and save (/save) them in a file (C:\Folder1ACL).

# Make a new folder named Folder1
md c:\Temp\Folder1

# Save folder1's permissions to a file named Folder1ACL
icacls c:\Temp\Folder1 /save c:\Folder1ACL /T

Below, you can see that you’ve created a new folder and successfully saved that folder’s ACLs in an ACL File. Confirm that the ACL file (Folder1ACL) exists by running the dir command.

Saving folder permissions to an ACL file with the icacls command
Saving folder permissions to an ACL file with the icacls command

2. Now, access Folder1’s advanced security settings, as you did previously. Below, add a new user to the folder permissions by clicking on the Add button.

Adding New User to Folder's Permissions
Adding New User to Folder’s Permissions

3. Select a user or group to add to Folder1’s permissions by clicking on the Select a principal option below. Type the user or group ID to add in the pop-up window and click on Check Names. When the user or group ID is found, click OK.

Selecting User or Group ID to Add to the Folder1's Permissions
Selecting User or Group ID to Add to the Folder1’s Permissions

4. Grant the new user full permissions to Folder1 by checking on the Full control option and click OK.

Granting Full Permission to the New User
Granting Full Permission to the New User

Below, you can see that User02 is added to Folder1’s permissions and granted full permissions.

Displaying Added User with Full Permissions to Folder1
Displaying Added User with Full Permissions to Folder1

5. Now that you’ve changed the folder’s permissions restore the original permissions using the ACL file you saved earlier.

In the command below, you’re restoring (/restore) Folder1’s ACLs that you saved in a File (Folder1ACL) located in the directory (c:\).

icacls c:\Temp\ /restore c:\Folder1ACL
Restoring folder permissions
Restoring folder permissions

6. Finally, confirm whether the original permissions were restored or not by accessing Folder1’s advanced security settings.

Below, you can see that the Usre02 you previously added was removed, indicating that the original permissions in the ACL file are restored.

Displaying restored permissions for Folder1
Displaying restored permissions for Folder1

Granting User Permissions to a File and Folder

From learning the icacls command’s basic syntax, it’s time to set up some basic permissions to a file and folder. The icacls command allows you to grant, deny or remove permissions from a file or folder via switches. Let’s cover how these switches are used.

Perhaps you’re unable to access or modify a file or folder. In that case, you can grant the user the appropriate permission with the /grant switch.

Below, the command will grant (/grant) full permissions (F) to a user (user01) on the myfile.txt file.

In place of the userid (user01), an Active Directory (AD) or local group name also works.

icacls myfile.txt /grant user01:F

Granting permissions to a user on a folder is different from how you grant permission on a file.

Below, the command will grant (/grant) read permissions (R) to a user (user01) on the MyFolder folder.

icacls Folder1 /grant user01:R
Displaying grant switch output in icacls command
Displaying grant switch output in icacls command

The icacls command also allows you to set special permissions to a file or folder. Below, you’re granting (/grant) delete (D) and read data/list directory (RD) permissions to a user (user01) on a folder (Folder1).

icacls Folder1 /grant user02:(D,RD)

When you use special permissions (like RD, as shown below), you must enclose them in parentheses.

Displaying grant switch output with advanced parameters
Displaying grant switch output with advanced parameters

Denying User Permissions to a File and Folder

There may be a case where you want to explicitly deny access to a user or group to a file or folder. You can do this with /deny switch.

Deny full permissions for a single user on a file and a folder with the following commands. The commands below will ensure user01 cannot access the MyFile.txt file and MyFolder folder.

# Deny (/deny) full permissions (F) for a user (user01) on a file (MyFile.txt)
icacls MyFile.txt /deny user01:F

# Deny (/deny) full permissions (F) for a user (user01) on a folder (MyFolder)
icacls MyFolder /deny user01:(F)

Removing User Permissions to a File and Folder

Perhaps you want to remove all permissions a user currently has on a file or folder. In that case, use the /remove switch together with the icacls command.

The commands below are removing all permissions from user01 on a file and folder. When the commands are complete, user01 can’t access or modify both the myfile.txt text file and the folder named Folder1 anymore.

# Removing all user01's permissions from myfile.txt
icacls myfile.txt /remove user01

# Removing all user01's permissions from Folder1
icacls Folder1 /remove user01

Securing Files and Folders with Integrity Levels

Along with permissions, all the objects in Windows like files, folders, registry keys, running processes, and user sessions are included with an integrity level.

You can apply an integrity level to any object that has a security descriptor. Even though a user has full permissions on a file or folder, an integrity level can set more restrictive permissions for less trustworthy objects.

See the list of integrity levels you can set to a Windows object in the table list below.

Integrity Level NameExplanationExample
UntrustedProcesses that are launched automatically are marked as Untrusted.Apps like Edge and chrome launch their update processes automatically. They are marked as untrusted.
LowVery restricted integrity level. Processes with low integrity level cannot write to registry and they have very limited access on files and folders.Internet Explorer in protected mode has low integrity level.
MediumThis is the integrity level that most of the objects will have. Standard or non-admin users get this medium integrity level. Also objects that are not marked as low or high will be in medium integrity level by default.
HighAdmins have the high integrity level by default. With this admins can interact with other objects with high integrity levels and objects with medium and low integrity levels.Processes started with “Run as Administrator” option or elevated.
SystemThis integrity level is assigned to windows OS files and core services.Windows Services that run under local service, network service or NT authority\system.
InstallerInstaller integrity level is highest of all other integrity levels. Objects that has installer integrity level can also uninstall other objects as they are almost equal to High integrity level.

Perhaps you’re curious to see which integrity level is set to each running Windows process on your computer. If so, launch Microsoft Process Explorer, right-click on any column header, and click on Select Columns, as shown below.

Now, add the Integrity column in the table list by checking on the Integrity Level option inside the Select Columns pop-up window, then click OK.

Notice that the Integrity column will appear in the right-most part of the process table list, where you’ll see each of the process’ integrity levels.

Viewing Processes' Integrity Levels
Viewing Processes’ Integrity Levels

Restricting Non-Admin Users to Modify a File or Folder

Set a high integrity level on a file or folder when you’d like to restrict other users from modifying a file or folder, set a high integrity level on that file or folder. Only administrators can access and modify files and folders with high integrity levels.

Let’s see how the icacls command sets integrity level in action.

1. Create a text file in the current directory, and set the file’s integrity level to high with the following commands.

# Create a text file named demo.txt in the current directory
echo . > demo.txt

# Run icacls command to set the text file's (demo.txt) integrity level to high (H)
icacls demo.txt /setintegritylevel H
Changing integrity level for a file
Changing integrity level for a file

2. Verify the file’s integrity level by running the following command. Below, you can see that you have full access to the file, but the file’s integrity level is set to high.

icacls demo.txt
Verifying File's Integrity Level
Verifying File’s Integrity Level

3. Now test the integrity level of the file by switching to a non-admin account on your PC, then add text to the text file with the following command.

echo "Adding text to demo file" >> demo.txt

Notice that you’ll get an error message saying Access is denied. Even though you have full access to the file, you can only modify the file with a user account from the administrator group.

Access denied output when changing a high integrity level file
Access denied output when changing a high integrity level file

Restricting File and Folder Modification by Disabling Inheritance

By default, files and folders inherit their parent folder’s permissions. Perhaps you want to avoid giving users unnecessary access when you create a new folder or file. Disabling inheritance is one way to solve that concern.

You don’t have to be an administrator to disable inheritance, but you should have full permission for the object.

An example of inheritance is when you create the folder C:\myfolder\testdata, which will inherit permissions from the parent folder C:\myfolder.

To understand inheritance and the effect of disabling it, view the permissions of any file in your ~\Desktop folder in File Explorer. You’ll see permissions similar to what you see below. Notice that the file inherits permissions from its parent folders.

Displaying file advanced permissions before changing inheritance
Displaying file advanced permissions before changing inheritance

Disable inheritance on this file with icacls by running the command below using the inheritance parameter. The command below is specifying the d argument that disables inheritance and converts inheritance to explicit permissions.

# Disabling inheritance on a file named Myfile.txt
icacls ~/Desktop/Myfile.txt /inheritance:d

You can also specify e to enable inheritance and r to disable and remove all occurrences of inherited ACEs from the object using the inheritance parameter, e.g.,/inheritance:e or /inheritance:r.

Once you disable inheritance, you can see below that icacls converts each inheritance ACE to an explicit permission (inherited from none).

Viewing Inherited Permissions and Explicit Permissions
Viewing Inherited Permissions and Explicit Permissions

Perhaps you want those explicit permissions removed after re-enabling the file’s inheritance. To do that, you could either delete the permissions manually or reset the file’s inheritance. Resetting the file’s inheritance will remove all permissions, and the file will inherit the parent folder’s permissions.

The command below is resetting (/reset) a file’s (demo.txt) inheritance while suppressing success messages (/q) and ignoring errors (/c).

icacls demo.txt /q /c /reset
Resetting File Inheritance
Resetting File Inheritance

Granting or Denying Permissions in Different Inheritance Levels

The NTFS file system is a big hierarchy of folders with a parent and sometimes child folder for every other folder. That hierarchy has different “levels.” And you can set inheritance at each “level.” For example, if you have a path like C:\Folder\Subfolder, you can set inheritance on C:\, Folder, and Subfolder.

When you set a permission on a folder with icacls, icacls automatically sets that folder inheritance to propagate permissions to its subfolders. But maybe you only want to apply a particular permission without enabling inheritance to that folder’s subfolders?

The command below grants full permission (F) to the user (user02) on mydemo folder. But since no inheritance options are specified, icacls grants full permission to the mydemo folder only. Without a specified inheritance option, the default option (OI) will be applied automatically.

icacls mydemo /grant user02:(F)

Perhaps you want to grant permission to a user along with specified inheritance. In that case, run the following command.

Below, you’re granting (/grant) read-only permission (R) to a user (user02) that applies from the mydemo folder to its files and subfolders (OI)(CI).

icacls mydemo /grant user02:(OI)(CI)(R)

Below is a list of options to set the level of inheritance to a file or folder:

  • OI – Object Inheritance – Applies to this folder and files. There will be no inheritance or propagation to subfolders.
  • CI – Container Inheritance – Applies to this directory and subdirectories.
  • IO – Inherit Only – Does not apply to the current file or directory.
  • (OI)(CI) – Applies to this folder, subfolders, and files.
  • (OI)(CI)(IO) – Applies to subfolders and files only.
  • (CI)(IO) – Applies to subfolders only.
  • (OI)(IO) – Applies to files only.

Changing File Permissions on a File Share

So far, you’ve learned about changing permissions on your local PC. But icacls can also set permissions on remote files, though there is no direct way to achieve this.

When changing permissions on a remote PC, you must specify the full path of the file on the remote PC, as shown below. You should also have permissions on the actual folder, file, and share path to allow permissions for other users.

Below, you’re either granting (/grant) or denying (/deny) full permission (F) to a user (user02) on a text file (\c$\temp\testfile.txt) from a remote PC (\\win10vm2).

# Granting full permission to a user on a text file from a remote PC
icacls \\win10vm2\c$\temp\testfile.txt /grant user02:F

# Denying full permission to a user on a text file from a remote PC
icacls \\win10vm2\c$\temp\testfile.txt /deny user02:F

Conclusion

Throughout this guide, you’ve learned how to run the icacls command to set up permissions from basic to advanced. You’ve also learned to back up your files and folders’ ACLs in an AclFile as a fallback when changing permissions goes wrong.

Now with this newfound knowledge, how would you prefer to manage file and folder permissions? Locally? Remotely? Or a combination of both?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!