11

I cannot get icacls to accept my group for adding permissions. I am using an elevated power shell with the following command:

icacls 'C:/foo' /grant:r 'Group Foo':f

I get the following error:

Invalid parameter "Group Foo"

I have tried using the SUID too, but that fails as well. I have also tried 'Domain\Group Foo'

I have a bunch of files I am trying to allow a group to use. What is the proper way to add mass permissions in Windows Server 2012?

-- EDIT --

E:\> icacls "E:/Contact Numbers.xlsx" /grant:r "Users":f
Invalid parameter "Users"
user319862
  • 757
  • 2
  • 8
  • 18

2 Answers2

10

Use double quotes instead of single quotes:

C:\>mkdir foo

C:\>icacls 'C:/foo' /grant:r 'Users':f
'Users': No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files

C:\>icacls "C:/foo" /grant:r "Users":f
processed file: C:/foo
Successfully processed 1 files; Failed processing 0 files

I missed that you were using Powershell, not cmd. Powershell has some high weirdness when mixing external commands and quoting. Here's a couple examples using Powershell.

PS v2: To pass the quotes onto icacls you must escape them with a caret. Note parenthesis around the "F" need escaped as well.

PS C:\>icacls `"C:/foo`" /grant:r `"Users`":`(F`)

PS v3: Version 3 offers a new escape sequence --% (dash, dash, percent) which escapes the remainder of the line. This makes even complex external parameters simple.

PS C:\>icacls --% "C:/foo" /grant:r "Users":F
jscott
  • 24,204
  • 8
  • 77
  • 99
  • See my edit above. This did not work either. Note that I am getting "Invalid parameter" errors and not "No mapping between account names" – user319862 Jun 17 '13 at 13:22
  • I just tried again using command prompt instead of power shell and it worked. Don't know what the issue is there but thanks for the correct syntax. – user319862 Jun 17 '13 at 13:35
  • Sorry, totally skipped over that you were using PS. Updated to include PS 2/3 examples. – jscott Jun 17 '13 at 13:50
  • To the people complaining it doesnt work, you have to use the command in Command Prompt. The command does not work in powershell. – Mike G Mar 08 '19 at 21:28
2

It won't let me comment on jscott's thread but in order to make your command run properly in Powershell, you'll have to add quotes around the entire parameter, as such:

    C:\> icacls .\foo /grant:r "Users:F"

This will work for group names that have spaces in them, as well as commands including inherit permissions.

    C:\> icacls .\foo /grant:r "Remote Desktop Users:(OI)(CI)(F)"

When in doubt, always apply quotes around the full parameter. Hope this helps! :)

Josh Vance
  • 21
  • 1