Icacls: A command to add/modify Access Control List, this command can save ACL of file/directories to single file and later on can be restore from the saved file, below are some switches or command line arguments to use the functionaly of the command.


/T indicates that this operation is performed on all matching files/directories under the specified directory.

/C continue the operation on all file, error messages will still be displayed.

/L operation is performed on a symbolic link itself versus its target.

/Q indicates that icacls should supress success messages.

ICACLS preserves the canonical ordering of ACE entries:
Explicit denials
Explicit grants
Inherited denials
Inherited grants

perm is a permission mask and can be specified in one of two forms:
a sequence of simple rights:
N – no access
F – full access
M – modify access
RX – read and execute access
R – read-only access
W – write-only access
D – delete access
a comma-separated list in parentheses of specific rights:
DE – delete
RC – read control
WDAC – write DAC
WO – write owner
S – synchronize
AS – access system security
MA – maximum allowed
GR – generic read
GW – generic write
GE – generic execute
GA – generic all
RD – read data/list directory
WD – write data/add file
AD – append data/add subdirectory
REA – read extended attributes
WEA – write extended attributes
X – execute/traverse
DC – delete child
RA – read attributes
WA – write attributes
inheritance rights may precede either form and are applied
only to directories:
(OI) – object inherit
(CI) – container inherit
(IO) – inherit only
(NP) – don’t propagate inherit
(I) – permission inherited from parent container


icacls c:\windows\* /save AclFile /T
This command Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.

icacls c:\windows\ /restore AclFile
This command Will restore the Acls for every file listed in AclFile

icacls file /grant Administrator: (D,WDAC)
This command Will grant the user Administrator Delete and Write DAC permissions to file.

icacls file /grant *S-1-1-0: (D,WDAC)
This command Will grant the user defined by sid S-1-1-0 Delete and Write DAC permissions to file.

Leave a Reply