Why can't I remove a group with icacls from a file after revoking read access?
You're using the wrong switch. You need to use /remove:d
:
icacls b /remove:d "Users"
When a group has been denied permissions, there are no rights for the /remove:g
switch to remove.
Alternately, to remove any permissions assigned to the group, whether they are grant or deny, use:
icacls b /remove "Users"
Summary
-
/remove:g
removes rights that are (G)ranted -
/remove:d
removes rights that are (D)enied -
/remove
removes all rights
More information about Icacls switches can be found on TechNet.
Related videos on Youtube
Zhro
Updated on September 18, 2022Comments
-
Zhro over 1 year
Why can't I remove a group from a file if it is being denied read permission even though I have read permission from my account, am part of the Administrators group, and I'm running icacls from an elevated command prompt?
This will remove the "Users" group just fine:
copy a b icacls b /inheritance:d icacls b /remove:g "Users"
Result: The file no longer has the "Users" group.
But if I remove read access then the group cannot be removed by icacls:
copy a b icacls b /inheritance:d icacls b /deny "Users":r icacls b /remove:g "Users"
Result: The file still has the "Users" group.
To work around this I have to grant a group "full" permission first and then use
/remove
to guarantee that the group will be removed. But this feels like a vulnerability as a particular group will, briefly, have full access. -
AlwaysLearning almost 6 yearsI had to use
/remove BUILTIN\Users
on my server. Don't know why `BUILTIN` was required on a remove, works just fine on grants.