iCACLS Vista Command Prompt Tool to Manage ACLs

Prior to Windows Vista, CACLS (Change Access Control Lists) is used to manage to complicated NTFS permissions, complement the Folder Options’ Security tab which offers an easy way to make minor permissions tweaks. In Windows Vista, CACLS which has drawback of difficult to use to set inherited permissions on a folder is been deprecated and been replaced with iCACLS. iCACLS expands the capabilities of CACLS to be able to display, modify, backup or restore contents of discretionary ACLs for files and directories. iCACLS command line utility also able to show and set mandatory labels of an object for interaction with WIC (Windows Integrity Control) which most noticeable in the Internet Explorer Protected Mode which automatically Low integrity to Internet objects to protect the operating system from malicious web content in Internet Explorer.

iCACLS syntaxes, parameters or switches list

ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
store the the acls for the all matching names into aclfile for later use with /restore.

ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] [/L] [/Q]
applies the stored acls to files in directory.

ICACLS name /setowner user [/T] [/C] [/L] [/Q]
changes the owner of all matching names.

ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
finds all matching names that contain an ACL explicitly mentioning Sid.

ICACLS name /verify [/T] [/C] [/L] [/Q]
finds all files whose ACL is not in canonical for or whose lengths are inconsistent with ACE counts.

ICACLS name /reset [/T] [/C] [/L] [/Q]
replaces acls with default inherited acls for all matching files

ICACLS name [/grant[:r] Sid:perm[...]]
[/deny Sid:perm [...]]
[/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
[/setintegritylevel Level:policy[...]]

/grant[:r] Sid:perm grants the specified user access rights. With :r, the permissions replace any previouly granted explicit permissions. Without :r, the permissions are added to any previously granted explicit permissions.

/deny Sid:perm explicitly denies the specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.

/remove[:[g|d]] Sid removes all occurrences of Sid in the acl. With :g, it removes all occurrences of granted rights to that Sid. With :d, it removes all occurrences of denied rights to that Sid.

/setintegritylevel [(CI)(OI)]Level explicitly adds an integrity ACE to all matching files. The level is to be specified as one of:
L[ow]
M[edium]
H[igh]
Inheritance options for the integrity ACE may precede the level and are applied only to directories.

Note:
Sids may be in either numerical or friendly name form. If a numerical form is given, affix a * to the start of the SID.

/T indicates that this operation is performed on all matching files/directories below the directories specified in the name.

/C indicates that this operation will continue on all file errors. Error messages will still be displayed.

/L indicates that this operation is performed on a symbolic link itself versus its target.

/Q indicates that icacls should supress success messages.

ICACLS preserves the canonical ordering of ACE entries:
Explicit denials
Explicit grants
Inherited denials
Inherited grants

perm is a permission mask and can be specified in one of two forms:

a sequence of simple rights:
F – full access
M – modify access
RX – read and execute access
R – read-only access
W – write-only access

a comma-separated list in parenthesis of specific rights:
D – delete
RC – read control
WDAC – write DAC
WO – write owner
S – synchronize
AS – access system security
MA – maximum allowed
GR – generic read
GW – generic write
GE – generic execute
GA – generic all
RD – read data/list directory
WD – write data/add file
AD – append data/add subdirectory
REA – read extended attributes
WEA – write extended attributes
X – execute/traverse
DC – delete child
RA – read attributes
WA – write attributes

inheritance rights may precede either form and are applied only to directories:
(OI) – object inherit
(CI) – container inherit
(IO) – inherit only
(NP) – don’t propagate inherit

Examples:

icacls c:\windows\* /save AclFile /T
– Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.

icacls c:\windows\ /restore AclFile
– Will restore the Acls for every file within AclFile that exists in c:\windows and its subdirectories

icacls file /grant Administrator:(D,WDAC)
– Will grant the user Administrator Delete and Write DAC permissions to file

icacls file /grant *S-1-1-0:(D,WDAC)
– Will grant the user defined by sid S-1-1-0 Delete and Write DAC permissions to file

icacls c:\windows\explorer.exe
– View the discretionary access list and integrity level

icacls file /setintegritylevel H
– Modify mandatory integrity level of an object to High

Related Articles

• How to Disable or Enable Vista User Access Control in Command Prompt
• How to Open Elevated Command Prompt with Administrator Privileges in Windows Vista
• Run Command Prompt Window as Administrator by Right Click Computer in Vista
• Open Elevated Command Prompt Window Here as Administrator at Current Folder Directly in Vista Windows Explorer
• Create and Put an Elevated Command Prompt on Windows Vista Desktop or Start Menu
• How to Fully Maximize Command Prompt Window in Vista
• Reveal and Access to Windows Vista Hidden Context-Sensitive (Right Click) Menu Item – Open Command Prompt Here & Copy as Path
• Comprehensive List of Command Prompt Keyboard Accelerators (Shortcut Keys)
• List of Windows and DOS Command Prompt Environment Variables
• Delete Browsing History for IE7 By Using Command Prompt

This entry was posted on Monday, April 30th, 2007 at 4:18 pm and is filed under Windows Vista. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.