How To Check File Permissions In Windows Cmd

I of the typical tasks for the Windows ambassador is to manage NTFS permissions on folders and files on the file organization. To manage NTFS permissions, you tin utilise the File Explorer graphical interface (go to the Security tab in the properties of a folder or file), or the born iCACLS command-line tool. In this article, we'll look at the example of using the iCACLS command to view and manage folders and file permissions on Windows.

Each file or folder on the file system has a special SD (Security Descriptor). Each security descriptor contains two access control lists:

Organization Access-Control List (SACL) — managed by Windows and used to provide auditing of file system object admission;
Discretionary Access-Command Listing (DACL) — contains an ACL (Access Control Listing) that defines access permissions of an object.

The ACL consists of many entries with iii fields:

SID of the user or group to which admission rule applies;
Access type — read, write, execute, etc.;
ACE type — Permit or Deny.

How to View File and Binder Permissions Using the iCACLS Command?

The iCACLS command allows displaying or changing Admission Control Lists (ACLs) for files and folders on the file arrangement. The predecessor of the iCACLS.EXE utility is the CACLS.EXE command (which was used in Windows XP).

The consummate syntax of the icacls tools and some useful usage examples can be displayed using the command:

icacls.exe /?

To list current NTFS permissions on a specific binder (for instance, C:\PS), open up a Control prompt and run the command:

icacls c:\PS

This command will render a list of all users and groups who are assigned permissions to this directory. Allow'south attempt to understand the syntax of the permissions listing returned by the iCACLS command:

c:\PS CORP\someusername:(OI)(CI)(M)

NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)

BUILTIN\Administrators:(I)(OI)(CI)(F)

BUILTIN\Users:(I)(OI)(CI)(RX)

CREATOR Owner:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

The object access level is specified in front of each group or user. The access permissions are indicated using the abbreviations. Consider the permissions for the user CORP\someusername. The following permissions are assigned to this user:

(OI) — object inherit;
(CI) — container inherit;
(Grand) — modify access.

This means that this user has the right to write and modify file system objects in this directory. These NTFS permissions are inherited to all child (nested) objects in this directory.

Below is a complete list of permissions that can be set using the icacls utility:

iCACLS inheritance settings:

(OI) — object inherit;
(CI) — container inherit;
(IO) — inherit only;
(NP) — don't propagate inherit;
(I) — permission inherited from the parent container.

List of basic access permissions:

D — delete access;
F — full admission;
Northward — no access;
M — change access;
RX — read and execute access;
R — read-but admission;
Due west — write-just access.

Detailed permissions:

DE — delete;
RC — read command;
WDAC — write DAC;
WO — write possessor;
S — synchronize;
As — access organization security;
MA — the maximum allowed permissions;
GR — generic read;
GW — generic write;
GE — generic execute;
GA — generic all;
RD — read data/listing directory;
WD — write data/add file;
Advertizing — append information/add subdirectory;
REA — read extended attributes;
WEA — write extended attributes;
X — execute/traverse;
DC — delete kid;
RA — read attributes;
WA — write attributes.

If yous need to notice all the objects in the specified directory and its subdirectories in which the SID of a specific user and grouping is specified, use the control:

icacls C:\PS /findsid [User/Group_SID_here] /t /c /50 /q

Utilize iCACLS to Gear up Binder'southward or File'south Permissions

With the icacls command, you tin can change the access lists for the folder. To change an object's DACL, the user must have write DAC permission (WRITE_DAC — WDAC). At least 1 user (the owner of the object) has the permission to modify the DACL.

For example, yous want to grant the permissions to modify (Chiliad) the contents of the folder C:\PS the user John. Execute the command:

icacls C:\PS /grant  John:M

To grant Total Control permission for the NYUsers domain grouping and apply all settings to the subfolders:

icacls "C:\PS" /grant domainname\NYUsers:F /Q /C /T

The following command tin can be used to grant a user read + execute + delete admission permissions to the folder:

icacls Eastward:\PS /grant John:(OI)(CI)(RX,D)

In order to grant read + execute + write admission, use the control:

icacls E:\PS /grant John:(OI)(CI)(RX,W)

You can utilize the born group names in the icacls command. For example, Administrators, Anybody, Users, etc. For example:

icacls C:\PS /grant Everyone:F /T

You can remove all the NTFS permissions assigned to John by using the command:

icacls C:\PS /remove John

Also, you lot can forestall a user or group of users from accessing a file or folder using the explicitly deny in a way similar this:

icacls c:\ps /deny "NYUsers:(CI)(G)"

Keep in listen that prohibiting rules have a higher priority than allowing ones.

You can enable or disable permissions on folder/file objects using the /inheritance option of the icacls command.

Iii values are available for the inheritance parameter:

eastward — enable inheritance;
d — disable ACE inheritance and copying;
r — remove all inherited ACEs.

To disable the inheritance permissions on the file organisation object and copy the current access control list (explicit permissions), run the command list:

icacls c:\PS /inheritance:d

To disable inheritance and remove all inherited permissions, run:

icacls c:\PS /inheritance:r

To enable the inherited permissions on a file or folder object:

icacls c:\PS /inheritance:eastward

If you demand to propagate new permission to all files and subfolders of the target binder without using inheritance, use the command:

icacls "C:\PS\" /grant:r Anybody:(NP)(RX) /T

In this case, no specific permissions on subfolders will be overwritten.

Also, you can environment variable %username% to grant permissions for the currently logged on user:

ICACLS c:\PS /grant %username%:F

In some cases, yous may receive the "Access is denied" mistake when trying to change permissions on a file or binder using the icacls tool. In this case, get-go, make certain y'all are running a cmd window with elevated rights (run every bit an administrator). Since the icacls is not a UAC-aware tool, you lot won't see the top prompt.

If the error persists, list the electric current file permissions and make sure your business relationship has the "Change permissions" rights on the file.

Hint. You can utilise the accesschk tool or NTFSSecurity PowerShell module to get effective NTFS permissions on files and folders. Yous can install the NTFSSecurity module from the PowerShell Gallery:
Install-Module -Name NTFSSecurity

To go effective object permissions for a specific user account, run:

Get-NTFSEffectiveAccess -Path C:\PS\myfile.txt -Business relationship samaccountname

Quite a common trouble: after copying directories between two drives, you can lose access permission to folders on a target drive. In this case, you can reset NTFS permissions with icacls. The following control volition reset all explicit and inherited permissions for all folders and files on drive Due east:

Icacls.exe Due east:\*   /reset    /T

In the Windows versions without long path support, you cannot change the permissions for an object in the tree if the full file path to such an object is longer than 256 characters (with the Destination path besides long error). In these cases, instead of using the following icacls control:

ICACLS C:\PS\LongFilePath /Q /C /T /reset

You should utilize:

ICACLS "\\?\C:\PS\LongFilePath " /Q /C /T /reset

With icacls yous can gear up a high integrity level for a file or folder. Only administrators tin can access and change files and folders with a high level of integrity.

icacls C:\PS\myfile.txt /setintegritylevel H

Now the following entry volition announced in the ACL of the file:

Mandatory Label\High Mandatory Level:(NW)

After that, fifty-fifty if the user has Full Control access permissions to the file, he will non be able to modify it and will receive an Admission is denied mistake.

Changing Ownership Using ICACLS on Windows

Using the icacls control, you lot can modify the owner of a directory or folder, for instance:

icacls c:\ps\underground.docx /setowner John /T /C /Fifty /Q

/Q — suppress success messages;
/L — the command is executed directly above the symbolic link, not the specific object;
/C — the execution of the command will continue despite the file errors. Mistake letters will still be displayed;
/T — the control is performed for all files and directories that are located in the specified directory and its subdirectories.

You can change the owner of all the files in the directory:

icacls c:\ps\* /setowner John /T /C /L /Q

Also, with icacls you can reset the current permissions on the file system objects:

ICACLS C:\ps /T /Q /C /RESET

After executing this command, all current permissions on the file object in the specified folder will be reset. They will be replaced with permissions inherited from the parent object.

Note that the icacls control with the /setowner option doesn't allow you to forcibly change the file system object buying. If you are non the current object owner, apply the takeown.exe command to replace the file or folder ownership.

To observe out all files with not-approved ACL or lengths that practise non match the number of ACEs, utilize the /verify parameter.

icacls "c:\exam" /verify /T

Save and Restore NTFS ACLs Using ICACLS

Using the icacls control, y'all tin relieve the current object's ACL into a text file. Then you can apply the saved permission list to the same or other objects (a kind of way to backup ACLs).

To export the current ACL on the C:\PS folder and salve them to the PS_folder_ACLs.txt file, run the command:

icacls C:\PS\* /salve c:\temp\PS_folder_ACLs.txt /t

This command saves ACLs not merely to the directory itself but also to all subfolders and files. You can open the resulting text file using notepad or any text editor.

To apply saved access ACLs (restore permissions), run the command:

icacls C:\PS /restore c:\temp\PS_folder_ACLs.txt

Thus, the procedure of ACLs transferring from one folder to another (or between hosts) becomes much easier.

Using ICACL in PowerShell Script to Alter Permissions

If y'all demand to go down the folder structure and modify NTFS permissions only on certain types of files, you can use the ICACL utility. For case, you need to observe all files with the "pass" phrase in the name and the *.docx extension in your shared network folder. Also, you lot desire to grant read access to them for the ITSec domain security grouping. You tin use the following PowerShell script (don't forget to change the binder path):

$files = get-childitem "d:\docs" -recurse | Where-Object { $_.Extension -eq ".txt" }foreach($file in $files){
                if($file -like "*laissez passer*"){
                $path = $file.FullName
                icacls $file.FullName /grant corpITSec:(R)
                write-host $file.FullName
                }
                }

You tin use icacls in PowerShell scripts to change NTFS permissions on directories on remote computers:

$folder = "c:\Tools"$Grant = "grant:rw"
                $users = "corp\hepldesk"
                $permission = ":(OI)(CI)(F) /T"
                srv_list = @(″server1″,″server2″,″server3″)
                Invoke-Command -ScriptBlock {Invoke-Expression -Control ('icacls $initFolder $Grant "${$users}${$permission}"')} -ComputerName $servers

This script volition grant RW permissions to the C:\tools directory for the corp\hepldesk domain security group on three remote servers.

In addition to the icacls tool, yous can manage the NTFS permissions of file system objects using PowerShell. To get the current ACL of an object, use the Get-ACL cmdlet. To change NTFS permissions, use Gear up-ACL.

Writer
Recent Posts

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC assistants and website promotion.

Source: https://theitbros.com/using-icacls-to-list-folder-permissions-and-manage-files/

Posted by: bessettemorce1984.blogspot.com