In my last role, we had to create large folder structures including permissioning very quickly in Windows 2008 R2 and as a result we came across ICALCS which proved very useful .
ICACLS name /save aclfile [/T] [/C]
Store the acls for all matching file/folder names into aclfile for later use with /restore.
ICACLS directory [/substitute SidOld SidNew […]] /restore aclfile [/C]
Applies the stored acls to files in directory.
ICACLS name /setowner user [/T] [/C]
Changes the owner of all matching names.
ICACLS name /findsid Sid [/T] [/C]
Finds all matching names that contain an ACL explicitly mentioning Sid.
ICACLS name /verify [/T] [/C]
Finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts.
ICACLS name /resize [/T] [/C] [/L]
Changes incorrect recorded lengths of ACLs to true lengths.
ICACLS name /reset [/T] [/C]
Replaces acls with default inherited acls for all matching files.
ICACLS name [/grant[:r] Sid:perm[…]]
[/deny Sid:perm […]]
[/remove[:g|:d]] Sid[…]] [/T] [/C]
With :r, the permissions replace any previously granted explicit permissions.
Without :r, the permissions are added to any previously granted explicit permissions.
/deny Sid:perm explicitly denies the specified user access rights.
An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.
/remove[:[g|d]] Sid removes all occurrences of Sid in the acl.
With :g, it removes all occurrences of granted rights to that Sid.
With :d, it removes all occurrences of denied rights to that Sid.
Note:
Sids may be in either numeric or friendly name form. If a numeric form is given, affix a * to the start of the SID.
/T indicates that this operation is performed on all matching files/directories below the directories specified in the name.
/C indicates that this operation will continue on all file errors.
Error messages will still be displayed.
ICACLS preserves the canonical ordering of ACE entries:
Explicit denials
Explicit grants
Inherited denials
Inherited grants
Perm is a permission mask and can be specified in one of two forms:
1. A sequence of simple rights:
F – full access
M – modify access
RX – read and execute access
R – read-only access
W – write-only access
2. A comma-separated list in parentheses of specific rights:
D – delete
RC – read control
WDAC – write DAC
WO – write owner
S – synchronize
AS – access system security
MA – maximum allowed
GR – generic read
GW – generic write
GE – generic execute
GA – generic all
RD – read data/list directory
WD – write data/add file
AD – append data/add subdirectory
REA – read extended attributes
WEA – write extended attributes
X – execute/traverse
DC – delete child
RA – read attributes
WA – write attributes
Inheritance rights may precede either form and are applied only to directories:
(OI) – object inherit
(CI) – container inherit
(IO) – inherit only
(NP) – don’t propagate inherit
Examples:
icacls c:\windows\* /save AclFile /T
– Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.
icacls c:\windows\ /restore AclFile
– Will restore the Acls for every file within AclFile that exists in c:\windows and its subdirectories
icacls file /grant Administrator:(D,WDAC)
– Will grant the user Administrator Delete and Write DAC permissions to file
icacls file /grant Administrator:(OI)(CI)M
– Will grant the user Administrator Modify permissions to the file and ripple this downwards for file and folder permissions
icacls file /grant *S-1-1-0:(D,WDAC)
– Will grant the user defined by sid S-1-1-0 Delete and Write DAC permissions to file
Folder Path Spaces
If there are spaces in the folder path names, you will need to put quotes in as follows
ICACLS “C:\Test Folder\Second Part\Third Part” /grant user123:(OI)(CI)R
