I am trying to use icacls to set permissions for a domain group, but for some reason it is not working.
icacls "C:\Temp\ACL" /T /C /grant ("Everyone"+':F') ("System"+':F') ("Administrators"+':F') ("DOMAIN\groupname"+':C') >> C:\temp\c.log
I am trying to run it with Powershell, but I get the following error:
Invalid parameter "DOMAIN\groupname:C"
I have tried multiple solutions, and it works without ("DOMAIN\groupname"+':C').
I had an old script that did this... your code looked correct, very similar to mine.
However I was granting Full control, and you were granting Change.
Other CLI tools like SUBINACL, CALCS have used "C" for Change, but it would seem ICACLS decided to use "M" for Modify.
If you change ("DOMAIN\groupname"+':C') to ("DOMAIN\groupname"+':M') you'll have better luck
From the ICACLS usage output:
perm is a permission mask and can be specified in one of two forms:
a sequence of simple rights:
N - no access
F - full access
M - modify access
RX - read and execute access
R - read-only access
W - write-only access
D - delete access
As Clayton pointed out, the access control would be M rather than C. I would also note in addition that most of the extra characters you are inserting on the command line aren't necessary. PowerShell is pretty good at parsing the command line without so much "help." This should work as expected:
icacls C:\Temp\ACL /T /C /grant Everyone:F System:F Administrators:F DOMAIN\GroupName:M
You only need to include the quotes if something contains a space in it (this is the same as if you were typing the command at the cmd.exe prompt). Sometimes you have to change things a bit, but mostly it will "just work."
For additional information, see this article:
