How to replace permissions and everything inside with icacls on Windows Server 2012?

Question

Using Windows Server 2012 R2 AND Windows Server 2008 R2.

I have a folder called C:\temp\test and I want to grant access to SYSTEM and a user and all files and subdirectories, and remove everthing else. I've tried this command but all the existing permissions remain:

Existing permissions are:

Access : NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  AppendData
         BUILTIN\Users Allow  CreateFiles
         CREATOR OWNER Allow  268435456

I want to remove all ACLs except SYSTEM, and add <DOMAIN>\<USER>

I tried this command:

icacls c:\temp\test /grant:r <DOMAIN>\<USER>:(OI)(CI)F /t

processed file: c:\temp\test
Successfully processed 1 files; Failed processing 0 files

When I look at the permissions afterwards, the <DOMAIN>\<USER> has the correct permissions but all the others remain. I thought /grant:r replaced all the permissions? Do you know what command I need to run to remove all the other permissions?

This command does exactly what I want `cacls c:\temp\test /t /g \:F` but I've heard that icacls has superseded it, can someone show me the equivalent icacls version to produce the same behaviour? — Mark Allison, Feb 25 '14 at 13:45
`/grant:r` only removes existing explicit permissions, not inherited ones from the folder above. You'd need to include `/inheritance:r` as well. — TheCleaner, Feb 25 '14 at 14:35
If CACLS does the job then there's no reason you can't use it, whether it's been deprecated or not. — joeqwerty, Feb 25 '14 at 15:25
@joeqwerty true but it feels so dirty. cacls itself even returns a message to use icacls, so there must be a very good reason. `NOTE: Cacls is now deprecated, please use Icacls.` — Mark Allison, Feb 25 '14 at 16:26
@joeqwerty `cacls.exe` can set the ACL's in the wrong order, potentially causing problems (I'll leave this as an exercise for the reader). — Craig Tullis, Sep 25 '15 at 07:59

krisFR · Accepted Answer · 2014-02-25T16:03:12.470

18

As mentionned is comments, you also have to use the /inheritance:r switch to remove inherited permissions.

/grant:r only removes explicit permissions.

icacls c:\temp\test /inheritance:r /grant:r <DOMAIN>\<USER>:(OI)(CI)F /T

To also grant SYSTEM :

icacls c:\temp\test /inheritance:r /grant:r <DOMAIN>\<USER>:(OI)(CI)F /grant:r SYSTEM:(OI)(CI)F /T

edited Feb 25 '14 at 16:03

answered Feb 25 '14 at 15:11

krisFR

12,830
3
31
40

score 9 · Answer 2 · edited Dec 30 '17 at 05:32

9

The parameter /grant:r didn't work for me. I had to use /reset to revert permissions to inherintance only and then remove the inherited permissions. Don't forget to change subdirectories with /t flag.

edited Dec 30 '17 at 05:32

answered Sep 15 '14 at 09:57

Jan Zahradník

547
5
14

Agreed. Had to do reset alone, then do steps by @krisFR. – Dan Sep 09 '21 at 16:58

How to replace permissions and everything inside with icacls on Windows Server 2012?

2 Answers2