Skip to content
Windows
File Permissions

File Permissions

File Permissions iCACLS Copy Export Modify

File permissions can be managed in CMD with the iCACLS tool.

Get file/folder permissions:

  • icacls Grant Modify Permission:
  • icacls /grant :M

Details of permissions:

iCACLS inheritance settings:

(OI)  —  object inherit; (CI)  —  container inherit; (IO)  —  inherit only; (NP)  —  don’t propagate inherit; (I)  — permission inherited from the parent container.

List of basic access permissions:

D  —  delete access; F  —  full access; N  —  no access; M  —  modify access; RX  —  read and execute access; R  —  read-only access; W  —  write-only access.

Save and copy permissions to file to apply to other files:

  • icacls /save /t

Restore or copy saved permissions from file:

  • icals /restore

File Permissions Powershell Get-Acl Set-Acl

Permissions can be managed with Powershell get-acl cmdlet

  • Get-Acl

Copy permissions from one file to another:

  • $acl = Get-Acl -path
    • $acl | Set-Acl -path

If you need to add permissions but dont have permissions to copy from you can create an object containing the permissions:

  • New-Object Security.AccessControl.FileSystemAccessRule(‘IdentityReference\String’,‘FileSystemRights’,‘InheritanceFlags, PropagationFlags’,‘AccessControlType’)

Details on the options:

  • IdentityReference\String — user or group name (use the following principal format: domain\user)
  • FileSystemRights — permission (for example, Read , Write , etc.)
  • InheritanceFlags and PropagationFlags – these flags determine permission inheritance settings from the parent folder (more details about ACL propagation are described in the Microsoft documentation https://docs.microsoft.com/en-us/previous-versions/ms229747(v=vs.110)?redirectedfrom=MSDN)
  • AccessControlType — allow or deny access to an object (Allow/Deny)

Example:

get current NTFS permissions

$current_acl = Get-ACL -Path “C:\Docs”

create an object with new NTFS permissions

$new_acl = New-Object System.Security.AccessControl.FileSystemAccessRule(‘domiain\user’, ‘Read’, ‘ContainerInherit, ObjectInherit’, ‘None’, ‘Allow’)

add new permissions to the current ACL

$current_acl.AddAccessRule($new_acl)

Apply an ACL to a folder

Set-ACL -Path “C:\Docs” -ACLObject $current_acl

File Locked for EditingKeyboard Not Working