Icacls: A command to add/modify Access Control List, this command can save ACL of file/directories to single file and later on can be restore from the saved file, below are some switches or command line arguments to use the functionaly of the command.
Switches:
/T indicates that this operation is performed on all matching files/directories under the specified directory.
/C continue the operation on all file, error messages will still be displayed.
/L operation is performed on a symbolic link itself versus its target.
/Q indicates that icacls should supress success messages.
ICACLS preserves the canonical ordering of ACE entries:
Explicit denials
Explicit grants
Inherited denials
Inherited grants
perm is a permission mask and can be specified in one of two forms:
a sequence of simple rights:
N – no access
F – full access
M – modify access
RX – read and execute access
R – read-only access
W – write-only access
D – delete access
a comma-separated list in parentheses of specific rights:
DE – delete
RC – read control
WDAC – write DAC
WO – write owner
S – synchronize
AS – access system security
MA – maximum allowed
GR – generic read
GW – generic write
GE – generic execute
GA – generic all
RD – read data/list directory
WD – write data/add file
AD – append data/add subdirectory
REA – read extended attributes
WEA – write extended attributes
X – execute/traverse
DC – delete child
RA – read attributes
WA – write attributes
inheritance rights may precede either form and are applied
only to directories:
(OI) – object inherit
(CI) – container inherit
(IO) – inherit only
(NP) – don’t propagate inherit
(I) – permission inherited from parent container
Examples:
icacls c:\windows\* /save AclFile /T
This command Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.
icacls c:\windows\ /restore AclFile
This command Will restore the Acls for every file listed in AclFile
icacls file /grant Administrator: (D,WDAC)
This command Will grant the user Administrator Delete and Write DAC permissions to file.
icacls file /grant *S-1-1-0: (D,WDAC)
This command Will grant the user defined by sid S-1-1-0 Delete and Write DAC permissions to file.