Using iCACLS to List Folder Permissions and Manage Files

Une des tâches typiques des administrateurs Windows est de gérer les permissions NTFS sur les dossiers et les fichiers du système de fichiers. To manage NTFS permissions, you can use the File Explorer graphical interface (the Security tab in the properties of a folder or file), or the built-in iCACLS command-line utility. In this article we’ll look at the example of using the iCACLS command to view and manage folders and files permissions.

icacls

Using iCACLS Command

The iCACLS command allows to display or change an Access Control Lists (ACLs) for files and folders on the file system. The predecessor of the iCACLS.EXE utility is the CACLS.EXE command (was used in Windows XP).

Pour lister les permissions actuelles sur un dossier spécifique (par exemple, C:\PS), ouvrez une invite de commande et lancez la commande :

icacls c:\PS

This command will return a list of all users and groups who are assigned permissions to this directory. Let’s try to understand the syntax of the permissions returned by the iCACLS command:

c:\PS CORP\someusername:(OI)(CI)(M)

      NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)

      BUILTIN\Administrators:(I)(OI)(CI)(F)

      BUILTIN\Users:(I)(OI)(CI)(RX)

      CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

icacls grant

Opposed to each group and the user’s access level is specified. Access rights are indicated using abbreviations. Consider the permissions for the user CORP\someusername. The following permissions are assigned to this user:

  • (OI) — object inherit
  • (CI) — container inherit
  • (M) —  modify access

Cela signifie que cet utilisateur a les permissions d’écrire et de modifier des données dans ce dossier.  Ces permissions sont héritées to all child objects in this directory.

Ci-dessous est une liste complète des permissions qui peuvent être appliquées en utilisant l’utilitaire icacls :

iCACLS inheritance settings:

  • (OI)  —  object inherit
  • (CI)  —  container inherit
  • (IO)  —  inherit only
  • (NP)  —  don’t propagate inherit
  • (I)  — permission inherited from parent container

List of basic access permissions:

  • D  —  delete access
  • F  —  full access
  • N  —  no access
  • M  —  modify access
  • RX  —  read and eXecute access
  • R  —  read-only access
  • W  —  write-only access

Detailed permissions:

  • DE  —  delete
  • RC  —  read control
  • WDAC  —  write DAC
  • WO   — write owner
  • S  —  synchronize
  • AS  —  access system security
  • MA  —  maximum allowed permissions
  • GR  —  generic read
  • GW  —  generic write
  • GE  —  generic execute
  • GA  —  generic all
  • RD  —  read data/list directory
  • WD  —  write data/add file
  • AD  — append data/add subdirectory
  • REA  —  read extended attributes
  • WEA  —  write extended attributes
  • X  —  execute/traverse
  • DC  —  delete child
  • RA  —  read attributes
  • WA  —  write attributes

Using the icacls command, you can save the current ACL on object in a file, and then apply the saved list to the same or other objects (a kind of backup ACL way).

To export the current ACL on the C:\PS folder and save them to the PS_folder_ACLs.txt file, run the command:

icacls C:\PS\* /save c:\temp\PS_folder_ACLs.txt /t

This command saves ACLs not only to the directory itself, but to all subfolders and files. The resulting text file can be opened using notepad or any text editor.

icacls list folder permissions

To apply saved access ACLs (restore permissions), run the command:

icacls C:\PS /restore c:\temp\PS_folder_ACLs.txt

Use iCACLS to Grant Permissions or Change the Access Lists for the Folder

Thus, the process of ACLs transferring from one folder to another becomes much easier.

With the icacls command, you can change the access lists for the folder. For example, you want to grant the user John the permissions to edit the contents of the folder C:\PS. Execute the command:

icacls C:\PS /grant  John:M

Vous pouvez retirer toutes les permissions de John en utilisant la commande :

icacls C:\PS /remove John

Also, you can prevent a user or group of users from accessing a file or folder in the way like this:

icacls c:\ps /deny "NYUsers:(CI)(M)"

Keep in mind that prohibiting rules have a higher priority than allowing rules.

Using the icacls command, you can change the owner of a directory or folder, for example:

icacls c:\ps\secret.docx /setowner John /T /C /L /Q
  • /Q – do not display a success message command;
  • /L – the command is executed directly above the symbolic link, not the specific object;
  • /C – the execution of the command will continue despite the file errors. Error messages will still be displayed;
  • /T – The command is performed for all files and directories that are located in the specified directory.

Vous pouvez changer le propriétaire de tous les fichiers dans le dossier :

icacls c:\ps\* /setowner John /T /C /L /Q

Also with icacls you can reset the current permissions on the file system objects:

ICACLS C:\ps /T /Q /C /RESET

icacls command

Après l’exécution de cette commande, toutes les permissions actuelles on the file object in the specified folder will be reset and replaced with permissions inherited from the parent object.

Print Friendly, PDF & Email

Leave a Reply

You have to agree to the comment policy.

Blue Captcha Image
Refresh

*

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.