How to replace permissions and everything inside with icacls on Windows Server 2012?
Solution 1
As mentionned is comments, you also have to use the /inheritance:r
switch to remove inherited permissions.
/grant:r
only removes explicit permissions.
icacls c:\temp\test /inheritance:r /grant:r <DOMAIN>\<USER>:(OI)(CI)F /T
To also grant SYSTEM
:
icacls c:\temp\test /inheritance:r /grant:r <DOMAIN>\<USER>:(OI)(CI)F /grant:r SYSTEM:(OI)(CI)F /T
Solution 2
The parameter /grant:r
didn't work for me. I had to use /reset
to revert permissions to inherintance only and then remove the inherited permissions. Don't forget to change subdirectories with /t
flag.
Related videos on Youtube
Mark Allison
Updated on September 18, 2022Comments
-
Mark Allison almost 2 years
Using Windows Server 2012 R2 AND Windows Server 2008 R2.
I have a folder called
C:\temp\test
and I want to grant access toSYSTEM
and a user and all files and subdirectories, and remove everthing else. I've tried this command but all the existing permissions remain:Existing permissions are:
Access : NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl BUILTIN\Users Allow ReadAndExecute, Synchronize BUILTIN\Users Allow AppendData BUILTIN\Users Allow CreateFiles CREATOR OWNER Allow 268435456
I want to remove all ACLs except
SYSTEM
, and add<DOMAIN>\<USER>
I tried this command:
icacls c:\temp\test /grant:r <DOMAIN>\<USER>:(OI)(CI)F /t processed file: c:\temp\test Successfully processed 1 files; Failed processing 0 files
When I look at the permissions afterwards, the
<DOMAIN>\<USER>
has the correct permissions but all the others remain. I thought/grant:r
replaced all the permissions? Do you know what command I need to run to remove all the other permissions?-
Mark Allison over 10 yearsThis command does exactly what I want
cacls c:\temp\test /t /g <DOMAIN>\<USER>:F
but I've heard that icacls has superseded it, can someone show me the equivalent icacls version to produce the same behaviour? -
kralyk over 10 years
/grant:r
only removes existing explicit permissions, not inherited ones from the folder above. You'd need to include/inheritance:r
as well. -
joeqwerty over 10 yearsIf CACLS does the job then there's no reason you can't use it, whether it's been deprecated or not.
-
Mark Allison over 10 years@joeqwerty true but it feels so dirty. cacls itself even returns a message to use icacls, so there must be a very good reason.
NOTE: Cacls is now deprecated, please use Icacls.
-
Craig Tullis almost 9 years@joeqwerty
cacls.exe
can set the ACL's in the wrong order, potentially causing problems (I'll leave this as an exercise for the reader).
-
-
Dan almost 3 yearsAgreed. Had to do reset alone, then do steps by @krisFR.