shadow-man/windows/commands/icacls.md at master

date: “2016-12-02” draft: false title: “icacls”

Change file and folder permissions - display or modify Access Control Lists (ACLs) for files and folders.

The icacls command should be used instead of cacls on Windows Server 2003 SP 2 and higher.

Syntax through Examples

# Give a user full control over a fiile
icacls "C:\Example\UserFiles\Andrew.txt" /grant Andrew:F

# Grant a domain user
icacls "C:\Windows\notepad.exe" /grant WIN7\Administrator:F

# Give Awesome group members Read Only access to the Docs directory and all files contained
icacls "C:\Example\Docs" /grant Awesome:(OI)(R)

# Give Cool group members write only access to a directory and all subfolders
icacls "C:\Example" /grant Cool:(CI)(W)

# Disable Inheritance, but keep the rules that were applied through inheritance
icacls "C:\Example\Docs\Restricted.txt" /inheritance:D

# Remove a user and check permissions
icacls "C:\Example\Docs\Restricted.txt" /remove Tom && icacls "C:\Example\Docs\Restricted.txt"

More info on the inheritance flag:

# Disable inheritance without removing the applied rules
/inheritance:D

# Enable inheritance
/inheritance:E

# Remove all inherited rules - be careful with this one
/inheritance:R

icacls file /inheritance:d /remove:g "Authenticated Users"
icacls file /inheritance:d /remove:g "Users

Additional things to think about:

   /T  Traverse all subfolders to match files/directories. 
   
   /C  Continue on file errors (access denied)  Error messages are still displayed.
  
   /L  Perform the operation on a symbolic link itself, not its target.

   /Q  Quiet - supress success messages.
  
   /grant :r user:permission
       Grant access rights, with :r, the permissions
       will replace any previouly granted explicit permissions.
       Otherwise the permissions are added.

   /deny user:permission
       Explicitly deny the specified user access rights.
       This will also remove any explicit grant of the 
       same permissions to the same user.

   /remove[:[g|d]] User 
       Remove all occurrences of User from the acl. 
      :g remove all granted rights to that User/Sid.
      :d remove all denied rights to that User/Sid.

Values to Remember

Permisions

icacls "C:\File Name" /grant Andrew:F

Perm	Description
`N`	No access
`F`	Full access
`M`	Modify access
`RX`	Read and execute access
`R`	Read-only access
`W`	Write-only access
`D`	Delete access

Inheritance codes

Some terms:

Container (C)

Generally a folder, in regard to the filesystem

Object (O)

This is a file

Rights	Description
`(I)`	“Inherited”: This ACE was inherited from the parent container.
`(OI)`	“Object inherit”: This ACE will be inherited by objects placed in this container.
`(CI)`	“Container inherit”: This ACE will be inherited by subcontainers placed in this container.
`(IO)`	“Inherit only”: This ACE will be inherited (see OI and CI), but does not apply to this object itself.
`(NP)`	“Do not propagate”: This ACE will be inherited by objects and subcontainers one level deep – it will not apply to things inside subcontainers.

Example:

# Give Andrew full control over the "MyDocs" folder, subfolder, and files
icacls "C:\MyDocs" /grant Andrew:(OI)(CI)(F)

What combined inheritance codes can mean:

Inheritance Code	Description
`(OI)`	This folder and files
`(CI)`	This folder and subfolders.
`(OI)(CI)`	This folder, subfolders, and files.
`(OI)(CI)(IO)`	Subfolders and files only.
`(CI)(IO)`	Subfolders only.
`(OI)(IO)`	Files only.

Individual Rights

Specific rights can be specified as well, comma-separated and in parentheses:

icacls "C:\My Folder" /grant "Andrew":(DE,RC,WDAC)

Right	Description
`DE`	Delete
`RC`	Read control
`WDAC`	Write DAC
`WO`	Write owner
`S`	Synchronize
`AS`	Access system security
`MA`	Maximum allowed
`GR`	Generic read
`GW`	Generic write
`GE`	Generic execute
`GA`	Generic all
`RD`	Read data/list directory
`WD`	Write data/add file
`AD`	Append data/add subdirectory
`REA`	Read extended attributes
`WEA`	Write extended attributes
`X`	Execute/traverse
`DC`	Delete child
`RA`	Read attributes
`WA`	Write attributes

Interpreting Output

Be able to interpret output like this:

icacls "C:\Folder Name"
. NT AUTHORITY\IUSR:(M)
  BUILTIN\IIS_IUSRS:(M)
  BUILTIN\IIS_IUSRS:(OI)(CI)(M)
  NT AUTHORITY\IUSR:(OI)(CI)(M)
  BUILTIN\IIS_IUSRS:(I)(OI)(CI)(RX)
  NT AUTHORITY\IUSR:(I)(OI)(CI)(RX)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(F)

Man

  Syntax
  			ICACLS Name [/grant[:r] User:Permission[...]]
  				 [/deny User:Permission[...]]
  						[/remove[:g|:d]] User[...]]
  							 [/inheritance:e|d|r ]
  									[/t] [/c] [/l] [/q]
  										 [/setintegritylevel Level[...]]

  	 Store ACLs for one or more directories matching name into aclfile for later use with /restore
  			ICACLS name /save aclfile [/T] [/C] [/L] [/Q]

  	 Restore ACLs to all files in directory :
  			ICACLS directory [/substitute SidOld SidNew [...]]
  					/restore aclfile [/C] [/L] [/Q]

  	 Change Owner:
  			ICACLS name /setowner user [/T] [/C] [/L] [/Q]

  	 Find items with an ACL that mentions a specific SID:
  			ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]

  	 Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count:
  			ICACLS name /verify [/T] [/C] [/L] [/Q]

  	 Replace ACL with default inherited acls for all matching files:
  			ICACLS name /reset [/T] [/C] [/L] [/Q]

  Key
  	 name  The File(s) or folder(s) the permissions will apply to.

  	 /T  Traverse all subfolders to match files/directories.

  	 /C  Continue on file errors (access denied)  Error messages are still displayed.

  	 /L  Perform the operation on a symbolic link itself, not its target.

  	 /Q  Quiet - supress success messages.

  	 /grant :r user:permission
  			 Grant access rights, with :r, the permissions
  			 will replace any previouly granted explicit permissions.
  			 Otherwise the permissions are added.

  	 /deny user:permission
  			 Explicitly deny the specified user access rights.
  			 This will also remove any explicit grant of the
  			 same permissions to the same user.

  	 /remove[:[g|d]] User
  			 Remove all occurrences of User from the acl.
  			 :g remove all granted rights to that User/Sid.
  			 :d remove all denied rights to that User/Sid.

  		/setintegritylevel [(CI)(OI)]Level
  			 Add an integrity ACE to all matching files.
  			 level is one of L,M,H (Low Medium or High)

  			 A Directory Inheritance option for the integrity ACE can precede the level
  			 and is applied only to directories:

  		/inheritance:e|d|r
  						 e - enable inheritance
  						 d - disable inheritance and copy the ACEs
  						 r - remove all inherited ACEs

  	 user   A user account, Group or a SID

  	 /restore  Apply the acls stored in ACLfile to the files in directory
  	 permission is a permission mask and can be specified in one of two forms:
  				a sequence of simple rights:
  								D - Delete access
  								F - Full access
  								N - No access
  								M - Modify access
  								RX - Read and eXecute access
  								R - Read-only access
  								W - Write-only access
  				a comma-separated list in parenthesis of specific rights:
  								DE - Delete
  								RC - read control
  								WDAC - write DAC
  								WO - write owner
  								S - synchronize
  								AS - access system security
  								MA - maximum allowed
  								GR - generic read
  								GW - generic write
  								GE - generic execute
  								GA - generic all
  								RD - read data/list directory
  								WD - write data/add file
  								AD - append data/add subdirectory
  								REA - read extended attributes
  								WEA - write extended attributes
  								X - execute/traverse
  								DC - delete child
  								RA - read attributes
  								WA - write attributes
  				inheritance rights can precede either form and are applied
  				only to directories:
  								(OI) - object inherit
  								(CI) - container inherit
  								(IO) - inherit only
  								(NP) - don’t propagate inherit
  								(I)  - Permission inherited from parent container
  Unlike earlier command-line tools, iCACLS correctly preserves the canonical ordering of ACE entries:
  Order of Override
  		Explicit Deny
  		Explicit Grant
  		Inherited Deny
  		Inherited Grant

  Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.

  An access control list (ACL) is a list of access control entries (ACE). When backing up or restoring an ACL with iCACLS, you must do so for an entire directory (using /save and /restore) even if you are only interested in the ACEs for a few individual files. In practice most permissions are set at the per-directory level.

  Using iCACLS
  To edit a file you must already have the "Change" ACL (or be the file's owner)
  To use the iCACLS command to change the permissions of a file requires "FULL Control" (or be the file's owner)
  File "Ownership" will always override all ACL's - you always have Full Control over files that you create.
  Inheritance
  Inherited folder permissions are displayed as
  		OI - Object inherit    - This folder and files. (no inheritance to subfolders)
  		CI - Container inherit - This folder and subfolders.
  		IO - Inherit only      - The ACE does not apply to the current file/directory

  These can also be combined as folllows
   (OI)(CI)      This folder, subfolders, and files.
   (OI)(CI)(IO)  Subfolders and files only.
  		 (CI)(IO)  Subfolders only.
   (OI)    (IO)  Files only.
  So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Full control)
  similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)

  When icacls is applied to the current folder only there is no inheritance and so no output.

  Built-In Groups
  A command which addresses a built-in group by name like ICACLS foldername /GRANT Everyone:F /T
  For example, to grant full control to Everyone on a folder ICACLS foldername /GRANT *S-1-1-0:F /T

  Examples:

  		icacls "c:\Test" /remove "Authenticated Users"

  		icacls "c:\Test" /grant "Ducks":(OI)(CI)F
  Give each user has Full Control of his own directory and remove the local Users group from having access to each subdirectory.
  		icacls "c:\Test\user" /grant user:(OI)(CI)F
  		icacls "c:\Test\*" /inheritance:d
  		icacls "c:\Test\*" /remove Users

  To backup the ACLs of every file in a directory
  		icacls * /save Myacl_backup.txt
  Restore ACLS using a previously saved acl file
  		icacls /restore Myacl_backup.txt
  Change the Integrity Level (IL) of a file to High
  		icacls MyReport.doc /setintegritylevel H
  Remove all inheritance on the 'Demo' folder and grant access to the domain user 'Volta', in this command the /t will traverse existing subfolders and files, and the (CI) will ensure that new folders/files added in future will inherit these permissions
  		icacls C:\Demo /inheritance:r /grant SS64dom\Volta:(CI)F /t
  Grant the group FileAdmins 'Delete' and 'Write DAC' permissions to Sales_Folder
  		icacls Sales_Folder /grant FileAdmins(D,WDAC)
  Propagate a new permission to all files and subfolders, without using inheritance
  (so if any of the subfolders contain specific permissions, those won't be overwritten)

  		icacls * /grant accountName:(NP)(RX) /T
  				/remove:g removes all occurances of grant permissions