Regardless of Windows language, how can I make the ICACLS command set a folder to have full access to everyone?

9

3

Background

Say I have this command

icacls C:\FullyAccessibleFolder /grant Users:(OI)(CI)F

This works fine in English versions of Windows, but does not seem to work in French versions, giving the following error, presumably due to Users being different in French. Everyone gets translated as Tout le monde in Windows, so that's not a solution either.

Users: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.

Which Google translates as

Users: The mapping between account names and security IDs was not performed.

Question

Is there a command I can use to set a folder and recursively all of its contents to have full permissions for all users in a way that would work across different language versions of Windows?

Content from around the web

This page with a largely similar problem talks about how Everyone becomes Jeder in German and Tout le monde in French.

Geesh_SO

Posted 2017-02-08T13:56:30.943

Reputation: 383

2Just use the SID: icacls C:\FullyAccessibleFolder /grant S-1-5-32-545:(OI)(CI)F Works everywhere. – Ben – 2017-02-08T19:27:13.713

2@Ben, that should be icacls C:\folder /grant *S-1-5-32-545:(OI)(CI)F, you left out the asterisk. – Harry Johnston – 2017-02-08T22:38:32.267

Answers

10

Does not work in French versions, presumably due to Users being different

You have three options, detailed below:

  1. Use the Use the Language Portal to get the translated name

  2. Retrieve the localised name from the Users SID

  3. Use the Users SID with icacls

Option 1: Use the Language Portal (canonical resource for Microsoft Terminology)

A search for Users returns:

Translations in Localized Microsoft Products

    English Translation         Product
    Users   Utilisateurs        Windows 7
    Users   des utilisateurs    Windows 7
    Users   Utilisateurs        Windows 8 Modern Voice
    Users   Utilisateurs        Windows 8
    Users   Utilisateurs        Windows 8.1
    USERS   UTILISATEURS        Windows 8.1
    Users   Utilisateurs        Windows 10
    Users   des utilisateurs    Windows 10
    Users   Utilisateurs        Windows 10 Anniversary Update
    users   utilisateurs        Windows 10 Anniversary Update

This suggests the following command may work:

icacls C:\FullyAccessibleFolder /grant Utilisateurs:(OI)(CI)F

Option 2: Retrieve the localised name from the Users SID (S-1-5-32-545)

SID: S-1-5-32-545

Name: Users

Description: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.

Source Well-known security identifiers in Windows operating systems

To retrieve the localised Users group name:

This simple script will give you actual name of 'Users' (S-1-5-32-545) group on a given PC:

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set objAccount = objWMIService.Get ("Win32_SID.SID='S-1-5-32-545'")
    Wscript.Echo objAccount.AccountName

Put it into a file with vbs extension (Let's assume usersName.vbs).

Now run: 

echo Y|for /f "delims=" %i in ('cscript -Nologo usersName.vbs') do cacls foldername /G "%i":F

Source Cacls, Windows 7, full permissions, local names by wmz

Option 3: Use the Users SID with icacls

Use the following command:

icacls C:\FullyAccessibleFolder /grant *S-1-5-32-545:(OI)(CI)F

Source comment by Harry Johnston

DavidPostill

Posted 2017-02-08T13:56:30.943

Reputation: 118 938

xcacls appears to be a script you can download. There's no need; icacls is built into Windows and can do the same job. – Harry Johnston – 2017-02-08T22:40:52.763

@HarryJohnston Correct, but my answer is showing how to retrieve the localised version of Users ... I've clarified the answer as we don't need the xacls part of the quoted solution. – DavidPostill – 2017-02-08T22:49:46.033

@HarryJohnston I've also added using icacls directly with credit to you. – DavidPostill – 2017-02-08T22:54:07.657

I've accepted the answer from DavidPostill as it does it in a true command line way, which is great when using batch or PS scripts. In the end I actually created a little executable in C# which just takes a path and does exactly what I need to. It's not as customisable as the answers here, and it requires .NET Framework, but it does suit my particular purpose very well. If anyone is interested, here is the the basis of the C# code I ended up going with. http://stackoverflow.com/a/35461832/1639615

– Geesh_SO – 2017-02-08T17:02:59.210

7

You need to specify the AD-group not by its name, but by the SID number.
For standard groups like "EveryOne", "Domain Users", etc. there are standardized SID numbers, which can be found on the MSDN page Well-known security identifiers (SIDs).

The following are the most common relative identifiers.

enter image description here

The structure of a SID is describe as the following:

The components of a SID are easier to visualize when SIDs are converted from binary to string format by using standard notation:

S-R-X-Y1-Y2-Yn-1-Yn

    Component                   Definition

    S                         Indicates that the string is a SID
    R                         Revision level
    X                         Identifier authority value
    Y            A series of subauthority values, where n is the number of values

For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:

S-1-5-32-544

This SID has four components:

  • A revision level (1)

  • An identifier authority value (5, NT Authority)

  • A domain identifier (32, Builtin)

  • A relative identifier (544, Administrators)

How Security Identifiers Work

Tonny

Posted 2017-02-08T13:56:30.943

Reputation: 19 919

It is worth pointing out that all users are part of the User group by default. So if you want to give "full access:to all user accounts, just use SID S-1-5-32-544, and then modify the ACL to give all permissions to the group for the file or folder in question – Ramhound – 2017-02-08T15:13:13.990

@Ramhound 544 is Administrators, 545 is Users. – DavidPostill – 2017-02-08T15:32:08.053

@DavidPostill - Yes; Copy and paste error. – Ramhound – 2017-02-08T15:34:10.180

@Ramhound Much better. It was the best I could do while being on a phone. Thank for the edit. – Tonny – 2017-02-08T17:08:02.223

3

If you like PowerShell scripts but have trouble remembering numbers for SIDs:

$acl = Get-Acl .\myfolder
$sid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::BuiltinUsersSid, $null)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($sid, 'FullControl', 'ObjectInherit,ContainerInherit', 'None', 'Allow')
$acl.AddAccessRule($rule)
Set-Acl .\myfolder $acl

I know that looks like a ton of typing, but these long identifiers are tab-completed:

  • System.Security.Principal.SecurityIdentifier from securityi
  • System.Security.Principal.WellKnownSidType from wellknownsi
  • System.Security.AccessControl.FileSystemAccessRule from filesystem

All these strings are .NET identifiers, so they don't get localized.

If you want the Everyone SID instead, use WorldSid in place of BuiltinUsersSid. To get the list of all WellKnownSidType options, see MSDN or run this command:

[System.Security.Principal.WellKnownSidType].DeclaredFields | select Name

Ben N

Posted 2017-02-08T13:56:30.943

Reputation: 32 973

FileSystemAccessRule without *Sid* and using group names ? – Kiquenet – 2018-06-12T21:00:59.340

@Kiquenet I'm not entirely sure what you're asking, but if you prefer to specify a human-readable group name, that will no longer be language-independent. If you're OK with that, you can remove the $sid = line and replace $sid in the $rule = line with a string identifying the group. – Ben N – 2018-06-12T21:09:54.917

Asked: 2017-02-08T13:56:30.943

Viewed: 6 049 times

Active: 2017-02-08T23:29:26.493