Icacls - DOS/Command Prompt Reference

Options

Common options

<name> or <directory>	Specifies the target file name or directory name for the operation (Wildcards can be used, but for /restore only the directory name can be used (see below)). * Even when specifying an alternate data stream, operations are performed on the original file name.
/T	Includes all files and subdirectories within the directory as part of the target if <name> is a directory.
/C	Continues without interruption even if an error occurs during the operation.
/L	If the target is a symbolic link, the operation applies to the link itself rather than the files/directories they point to. * This option has no effect on junction points or hard links.
/Q	Suppresses messages during the operation. * The completion message will be displayed, but it appears that the file count within that message is shown as 0 (which may be differ from the actual number of processed items).

/save <acl-file>

Saves the information of the Access Control List (ACL) to the specified file.

<name>	If specifying a directory, ending the path with ‘\’ will result in saving the file with a relative path based on that directory when storing information.
<acl-file>	Specifies the file name to save (output) the information of the ACL. A text file using SDDL (Security Descriptor Definition Language) will be generated. ※ The file is saved in UTF-16 (LE) format with a BOM.

/restore <acl-file>

Applies (restores) the Access Control List (ACL) information saved in the specified file to the files within the directory. The ACL information previously set on the files before restoration will be replaced.

<directory>	For /restore only the directory name can be specified in place of <directory>. This directory is treated as the parent directory for each file described (expressed in relative paths) within the <acl-file> file. * Individual files/directories cannot be specified here to restore information. In that case, you should modify the data within <acl-file> to include only the information for the individual file/directory. and specify the parent directory as <directory>. * If you cannot specify the parent directory to <directory> when restoring information for an individual directory (such as when it is the root directory), set the file name part in <acl-file> to ‘.’, and specify the target directory itself to <directory>.
<acl-file>	Specifies the file name (input file) that holds the information to restore the ACL. Specifies the text file that uses the SDDL (Security Descriptor Definition Language). * The file needs to be in UTF-16 (LE) format (it seems that BOM is not required).
/substitute <old-sid> <new-sid> [...]	During restoration, if the information to be restored includes the user/identifier indicated by <old-sid> , it will be replaced with the user/identifier specified by <new-sid>. Both <old-sid> and <new-sid> must be specified in the format ‘domain-name\user-name’ (‘domain-name\’ can be omitted) or in the form ‘*S-1-...’ by combining the ‘*’ character and the SID string. ‘/substitute <old-sid> <new-sid>’ can be specified multiple times. * The placeholder names are ‘old-sid’ and ‘new-sid’, but if you are directly specifying the SID, you must prefix it with the ‘*’ character. * If the permissions of the user/identifier indicated by <old-sid> are inherited from a parent object, the inheritance remains intact, and the permissions are copied as they are assigned to the user/identifier indicated by <new-sid>. In that case, the permissions for <old-sid> will remain as they are, preserving the inheritance state.

/setowner <user>

Changes the owner of the file/directory. (Unlike Takeown, it can be set for users other than the current user, but forced changes are not possible.)

<user>	Specifies the username/identifier of the new owner. <user> will be the format ‘domain-name\user-name’ (‘domain-name\’ can be omitted), but you can also combine the ‘*’ character with the SID string like ‘*S-1-...’.

/findsid <sid>

Searches for files where permissions are explicitly defined for the user/identifier specified by <sid>. If a wildcard is used in <name> or the /T option is used, the search will include multiple corresponding files/directories.

<sid>	Specifies the user.<user> will be the format ‘domain-name\user-name’ (‘domain-name\’ can be omitted), or the form ‘*S-1-...’ by combining the ‘*’ character and the SID string. * The placeholder name is ‘sid’, but if you are directly specifying the SID, you must prefix it with the ‘*’ character.

/verify

Verifies the ACL. It checks whether there are any issues with the state of the ACL, such as due to filesystem corruption.

* While Chkdsk performs checks on security identifiers, it does not check the ACL itself. Therefore, Icacls is necessary for checking the state of ACLs.

/reset

Removes individually set ACLs and applies only the inherited ones.

[/grant[:r]] [/deny] [/remove] [/setintegritylevel] [/inheritance]

Sets permissions for the target file. If none of the options such as /grant, /deny, /remove, /setintegritylevel, or /inheritance is specified, Icacls will display (output to the screen) the permissions set on the target file.

* In cases where permission settings for the same user/identifier overlap with options ‘/grant’ and ‘/deny’, the overlapping portion is prioritized based on the options specified later.

/grant[:r] <sid>:<perm>[...]	Grants permissions (allow permissions, Allow ACE) to the specified user/identifier. When ‘/grant:r’ option is specified, existing permissions for the specified user/identifier are replaced. If ‘/grant’ option is used, permissions are added without replacing existing ones. For ‘<sid>’, specifies the string representing the target user/identifier in the form ‘domain-name\user-name’ (‘domain-name\’ can be omitted) or in the form ‘*S-1-...’ (combining the ‘*’ character with the SID string). For ‘<perm>’, specifies the desired permission as a string. For the format of this string, please see Strings for ‘perm’ below. ‘/grant’ can be specified multiple times. (If you want to grant permissions to multiple user/identifier pairs, include a corresponding number of ‘/grant’ options.) Note that there must be no space between <sid> and <perm> and a colon (‘:’) serves as the delimiter (in the form ‘User:perm’).
/deny <sid>:<perm>[...]	Grants ‘deny’ permissions (explicit deny ACE) to the specified user/identifier. The format ‘<sid>:<perm>’ is same for /grant, and it is also possible to specify multiple /deny entries. When using /deny to grant ‘deny’ permissions, any existing ‘allow’ permissions for the same rights are removed.
/remove[:g|:d] <sid>[...]	Removes all permission settings for the specified user/identifier. If specified with ‘/remove:g’, it removes all ‘allow’ permissions. If specified with ‘/remove:d’, it removes all ‘deny’ permissions. Simply using ‘/remove’ without specifying ‘g’ or ‘d’ removes both types of permissions. The value specified for ‘<sid>’ is the same as in /grant or /deny.
/setintegritylevel [(CI)][(IO)][(OI)][(NP)]<level>	Sets the ‘Integrity Level’ for the file. Specifies either ‘Low’, ‘Medium’, ‘High’, or their respective initials for <level>. Note that setting the integrity level with Icacls on the command line is limited to ‘NW’ (SYSTEM_MANDATORY_LABEL_NO_WRITE_UP), and it cannot be unset (it won't be removed with /reset or /restore). If <name> is a directory, you can specify one or more of ‘(CI)’, ‘(IO)’, ‘(OI)’, ‘(NP)’ just before ‘<level>’ (The specifications like ‘(CI)’, ‘(IO)’, etc., can be specified similarly to the ‘Strings for "perm"’)。 * The Icacls help mentions ‘<level>:<policy>’, but currently, only <level> is used, and if it starts with ‘L’, ‘M’, or ‘H’, any characters after that, excluding spaces, are ignored. * While ‘/setintegritylevel’ can be specified multiple times, only the last specification takes effect. * To remove it, you need to recreate the file/directory or use a tool that handles integrity levels.
/inheritance:<e|d|r>	Configures inheritance for permission data (ACE data). After ‘:’ specify either e, d, or r, and their meanings are as follows: /inheritance:e Inherits permissions from the parent object. /inheritance:d Does not inherit permissions from the parent object. Instead, copies the permissions from the parent and assigns them to oneself. /inheritance:r Does not inherit permissions from the parent object and removes them. Permissions already individually assigned remain unchanged regardless of their similarity.

Strings for ‘perm’

In the ‘/grant’, ‘/deny’, and ‘/remove’ options, ‘<perm>’ can specify simple permissions or provide detailed permissions within ‘( )’ separated by commas. For directories, you can also combine permissions related to inheritance.

Simple permissions

Specifies the following characters either individually or concatenated (such as ‘RWRX’). However, ‘N’ must be specified individually.

N	No access rights
F	Full control
M	Change
R	Read (only)
RX	Read and Execute
W	Write (only)
D	Delete

* Since there is no specific permission characters to allow access rights changes, except for Full control, when dealing with permission changes, you need to use the following detailed permission settings.

Detailed permissions

Specifies the following characters individually or separated by commas, and enclose the entire set in parentheses ‘( )’ for specification (e.g. ‘(RD,WD,AD)’).

RD	Read data, or list the items (retrieve/enumerate) within a directory
RA	Read attributes
REA	Read extended attributes
RC	Read access rights
GR	General ‘Read’ permission (a combination of RD, RA, RC, and REA)
WD	Write data, or add a file to a directory
AD	Append data, or add a subdirectory to a directory
WA	Write (modify) attributes
WEA	Write (modify) extended attributes
GW	General ‘Write’ permission (a combination of WD, AD, WA, and WEA)
X	Execute a file, or scan (traverse) a directory
GE	General ‘Execute’ permission (a combination of RA, RC, and X)
DE	Delete
DC	Delete children
WO	Write (modify) an owner
WDAC	Write (modify) DAC(access control setting)
GA	General full access rights (Full control)
AS	Modify System ACL (SACL) (Access System Security)
S	Use for synchronization (e.g. waiting functions)
MA	Maximum allowed permissions (Maximum Allowed)

* The modification of attributes that can be changed with Attrib is controlled by ‘WA’, but however, even without ‘RA’, obtaining these attributes is still possible.
* Many applications require ‘GW’ (GENERIC_WRITE; WD + AD + WA + WEA) for file writing. In such cases, if any of WD, AD, WA, WEA is missing, writing will not be possible.
* The ‘Scan (traverse) a directory’ permission is set to be ignored by default user permissions.
* The specification of ‘MA’ (Maximum Allowed) is used when requesting access permissions and does not have any meaning when specified as access rights for files, directories, etc.(ref: [MS-DTYP]: ACCESS_MASK)
* ‘AS’ (Access System Security) does not have any effect on files or directories.

Permissions related to inheritance

If the target is a directory, you can additionally specify whether the specified permissions can be inherited by children. Specifies one or more followings, enclosed in parentheses ‘( )’, before the simple or detailed permissions mentioned above. (e.g. ‘(OI)(CI)F’, ‘(OI)(IO)(GR,GE)’)

(OI)	Inherit to child objects (files)
(CI)	Inherit to child containers (subdirectories or subfolders)
(IO)	Perform inheritance only, without granting permissions to itself
(NP)	Inherit to immediate objects (files) or containers (subdirectories/subfolders), but do not inherit to objects or containers further down (grandchildren)

* The specification of ‘(NP)’ corresponds to the setting in the Explorer's file security advanced settings (Access Control Entry): ‘Apply these permissions to objects and/or containers within this container only’.
* ‘(I)’ (Inherit from parent) is indicated when displaying the current state, but it cannot be included in the configuration parameters (use ‘/inheritance’ instead).

Security Descriptor Definition Language (SDDL)

The Security Descriptor Definition Language (SDDL) is a language that defines security descriptors, including information such as access rights, as strings. (The string format is referred to as the ‘Security Descriptor String Format’.) For the /save and /restore options in Icacls, the file specified must follow a pattern where odd-numbered lines contain the file (or directory) names, and even-numbered lines contain the corresponding security descriptors in SDDL format.

For an overview of SDDL, you can refer to Microsoft Learn's ‘Security Descriptor Definition Language’, and to understand the specific format of the strings, you can check Microsoft Learn's ‘Security Descriptor String Format’.

* Security Descriptor String Format is used in the input and output of Win32 API functions such as ConvertStringSecurityDescriptorToSecurityDescriptor function and ConvertSecurityDescriptorToStringSecurityDescriptor function.

Integrity level

Icacls allows limited setting of ‘Integrity Level’. Integrity Level is set using stages (Low, High, etc.) and combinations of permissions such as ‘NO_WRITE_UP’ or ‘NO_EXECUTE_UP’. When accessing permissions corresponding to the Integrity Level set to ‘High’, elevation of privileges through UAC may be required, and accessing permissions set to ‘Medium’ may be denied to users or processes in Protected Mode (equivalent to Low). This allows for a different form of permission management compared to regular permission settings. Also, programs set to ‘Low’ cannot write to files with integrity levels of ‘Medium’ or higher, or those that are not set. (This is used to prevent unintentional execution of programs, such as browsers, to enhance security).

* The ‘%USERPROFILE%\AppData\LocalLow’ directory has a Low integrity level, allowing write operations from programs with Low integrity levels. (This is useful in scenarios where programs with Low integrity levels need to write data, distinguishing it from the ‘%USERPROFILE%\AppData\Local’ directory.)