How can I grant permissions to a user on a directory (Read, Write, Modify) using the Windows command line?
As of Vista, cacls is deprecated. Here's the first couple of help lines:
C:\>cacls
NOTE: Cacls is now deprecated, please use Icacls.
Displays or modifies access control lists (ACLs) of files
You should use icacls instead. This is how you grant John full control over D:\test folder and all its subfolders:
C:\>icacls "D:\test" /grant John:(OI)(CI)F /T
According do MS documentation:
F = Full Control
CI = Container Inherit - This flag indicates that subordinate containers will inherit this ACE.
OI = Object Inherit - This flag indicates that subordinate files will inherit the ACE.
/T = Apply recursively to existing files and sub-folders. (OI and CI only apply to new files and sub-folders). Credit: comment by #AlexSpence.
For complete documentation, you may run "icacls" with no arguments or see the Microsoft documentation here and here
You can also use ICACLS.
To grant the Users group Full Control to a folder:
>icacls "C:\MyFolder" /grant Users:F
To grant Modify permission to IIS users for C:\MyFolder (if you need your IIS has ability to R/W files into specific folder):
>icacls "C:\MyFolder" /grant IIS_IUSRS:M
If you do ICACLS /? you will be able to see all available options.
Open a Command Prompt, then execute this command:
icacls "c:\somelocation\of\path" /q /c /t /grant Users:F
F gives Full Access.
/q /c /t applies the permissions to subfolders.
Note: Sometimes "Run as Administrator" will help.
Use cacls command. See information here.
CACLS files /e /p {USERNAME}:{PERMISSION}
Where,
/p : Set new permission
/e : Edit permission and kept old permission as it is i.e. edit ACL instead of replacing it.
{USERNAME} : Name of user
{PERMISSION} : Permission can be:
R - Read
W - Write
C - Change (write)
F - Full control
For example grant Rocky Full (F) control with following command (type at Windows command prompt):
C:> CACLS files /e /p rocky:f
Read complete help by typing following command:
C:> cacls /?
I try the below way and it work for me:
1. open cmd.exe
2. takeown /R /F *.*
3. icacls * /T /grant [username]:(D)
4. del *.* /S /Q
So that the files can become my own access and it assign to "Delete" and then I can delete the files and folders.
Corrupt Permissions: Regaining access to a folder and its sub-objects
Although most of the answers posted in reply to the question have some merit, IMHO none of them give a complete solution. The following (might be) a perfect solution for Windows 7 if you are locked-out of a folder by corrupted permission settings:
icacls "c:\folder" /remove:d /grant:r Everyone:(OI)(CI)F /T
For Windows 10 the user/SID must be specified after the /remove:d option:
icacls "c:\folder" /remove:d Everyone /grant:r Everyone:(OI)(CI)F /T
.
Notes:
The command is applied to the specified directory.
Specifying the user "Everyone" sets the widest possible permission, as it includes every possible user.
The option "/remove:d" deletes any explicit DENY settings that may exist, as those override explicit ALLOW settings: a necessary preliminary to creating a new ALLOW setting. This is only a precaution, as there is often no DENY setting present, but better safe than sorry.
The option "/grant" creates a new ALLOW setting, an explicit permission that replaces (":r") any and all explicit ALLOW settings that may exist.
The "F" parameter (i.e. the permission created) makes this a grant of FULL control.
The "/T" parameter adds recursion, applying these changes to all current sub-objects in the specified directory (i.e. files and subfolders), as well as the folder itself.
The "(OI)" and "(CI)" parameters also add recursion, applying these changes to sub-objects created subsequently.
.
ADDENDUM (2019/02/10) -
The Windows 10 command line above was kindly suggested to me today, so here it is. I haven't got Windows 10 to test it, but please try it out if you have (and then will you please post a comment below).
The change only concerns removing the DENY setting as a first step. There might well not be any DENY setting present, so that option might make no difference. My understanding is, on Windows 7, that you don't need to specify a user after /remove:d but I might be wrong about that!
.
ADDENDUM (2019/11/21) -
User astark recommends replacing Everyone with the term *S-1-1-0 in order for the command to be language independent. I only have an English install of Windows, so I can't test this proposal, but it seems reasonable.
I struggled with this for a while and only combining the answers in this thread worked for me (on Windows 10):
1. Open cmd or PowerShell and go to the folder with files
2. takeown /R /F .
3. icacls * /T /grant dan:F
Good luck!
With an Excel vba script to provision and create accounts. I was needing to grant full rights permissions to the folder and subfolders that were created by the tool using our administrators 'x' account to our new user.
cacls looked something like this:
cacls \FileServer\Users\Username /e /g Domain\Username:C
I needed to migrate this code to Windows 7 and beyond. My solution turned out to be:
icacls \FileServer\Users\Username /grant:r Domain\Username:(OI)(CI)F /t
/grant:r - Grants specified user access rights. Permissions replace previously granted explicit permissions. Without :r, permissions are added to any previously granted explicit permissions
(OI)(CI) - This folder, subfolders, and files.
F - Full Access
/t - Traverse all subfolders to match files/directories.
What this gave me was a folder on this server that the user could only see that folder and created subfolders, that they could read and write files. As well as create new folders.
Just in case there is anyone else that stumbles on this page, if you want to string various permissions together in the one command, I used this:
icacls "c:\TestFolder" /grant:r Test_User:(OI)(CI)(RC,RD,RX)
Note the csv string for the various permissions.
XCACLS.VBS is a very powerful script that will change/edit ACL info. c:\windows\system32\cscript.exe xcacls.vbs help returns all switches and options.
You can get official distribution from Microsoft Support Page
Bulk folder creation and grant permission works me by using the below powershell script.
Import-Csv "D:\Scripts\foldernames.csv" | foreach-object {
$username = $_.foldername
# foldername is the header of csv file
$domain = “example.com”
$folder= "D:\Users"
$domainusername = $domain+“\”+$username
New-Item $folder\$username –Type Directory
Get-Acl $folder\$username
$acl = Get-Acl $folder\$username
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Admins","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainusername,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $folder\$username $acl
}
Note: You have to create same domain username in csv file otherwise you will get permission issues
attrib +r +a +s +h <folder name> <file name> to hide
attrib -r -a -s -h <folder name> <file name> to unhide
excellent point Călin Darie
I had a lot of scripts to use cacls I move them to icacls
how ever I could not find a script to change the root mount volumes example: d:\datafolder. I finally crated the script below, which mounts the volume as a temporary drive then applies sec. then unmounts it. It is the only way I found that you can update the root mount security.
1 gets the folder mount GUID to a temp file then reads the GUID to mount the volume as a temp drive X: applies sec and logs the changes then unmounts the Volume only from the X: drive so the mounted folder is not altered or interrupted other then the applied sec.
here is sample of my script:
**mountvol "d:\%1" /L >tempDrive.temp && FOR /f "tokens=*" %%I IN (tempDrive.temp) DO mountvol X: %%I
D:\tools\security\icacls.exe %~2 /grant domain\group:(OI)(CI)F /T /C >>%~1LUNsec-%TDWEEK%-%TMONTH%-%TDAY%-%TYEAR%-%THOUR%-%TMINUTE%-%TAM%.txt
if exist x:\*.* mountvol X: /d**
I am Administrator and some script placed "Deny" permission on my name on all files and subfolders in a directory. Executing the icacls "D:\test" /grant John:(OI)(CI)F /T command did not work, because it seemed it did not remove the "Deny" right from my name from this list.
The only thing that worked for me is resetting all permissions with the icacls "D:\test" /reset /T command.
navigate to top level directory you want to set permissions to with explorer
type cmd in the address bar of your explorer window
enter icacls . /grant John:(OI)(CI)F /T where John is the username
profit
Just adding this because it seemed supremely easy this way and others may profit - all credit goes to Călin Darie.
When I ran the command:
icacls "c:/path/to/folderA/folderB" /grant:r Everyone:(OI)(CI)F /T
None of the files in folderB were being processed, which was indicated via the output message:
Successfully processed 0 files; Failed processing 0 files
However, once I changed the specified path to the parent directory("c:/path/to/folderA") and re-ran the command all the files in folderB were successfully processed.
Note: If you want any other files/folders in folderA to not be processed, try moving all those files/folders to a different location before running the command above.
Hope this helps anyone running into the same issue.
i was not able to open any file in a drive, this command unlocked all -
icacls i:\* /grant Users:F /t /q /c
in windows 10 working without "c:>" and ">"
For example:
F = Full Control
/e : Edit permission and kept old permission
/p : Set new permission
cacls "file or folder path" /e /p UserName:F
(also this fixes error 2502 and 2503)
cacls "C:\Windows\Temp" /e /p UserName:F
This is what worked for me:
Manually open the folder for which the access is denied.
Select the Executable/application file in that folder.
Right-click on it and go to Properties -> Compatibility
Now see the Privilege Level and check it for Run As Administrator
Click on Change Settings for all users.
The problem is solved now.
Related
Basically what I'm trying to do is push a txt file out to a list of remote PCs and then change the permissions on that file for the local users group to only have read and execute. (I gave up trying to push the file out while retaining permissions). PC names are listed on separate lines in ComputerNames.txt file.
Here is what I have:
$computers = Get-Content "C:\ComputerNames.txt"
$fileToCopy = "C:\newFile.txt"
foreach ($computer in $Computers) {
# Copy file to remote PC
Copy-Item -Path $fileToCopy -Destination "\\$computer\C`$\HOMEWARE\"
# Reset current permissions on file
icacls \\$computer\C$\HOMEWARE\newFile.txt /reset
# Grant Read / Execute
icacls \\$computer\C$\HOMEWARE\newFile.txt /grant:r "USERS:(OI)(CI)RX"
}
pause
It seems like it is copying the file over and permissions get reset but it doesn't strip away anything, users still have write and special permissions. What am I doing wrong here?
/grant:r would only replace existing explicit permissions for the given user or group. It doesn't touch inherited permissions. Object inheritance (OI) and container inheritance (CI) only make sense when dealing with folders. Nothing is going to inherit permissions from a file. Also, just disabling inheritance (/inheritance:d) does not suffice, you need to remove the existing permissions as well (/inheritance:r).
This should do what you want:
icacls \\$computer\C$\HOMEWARE\newFile.txt /reset
icacls \\$computer\C$\HOMEWARE\newFile.txt /inheritance:r /grant "Users:rx"
Note that this will remove all inherited permissions from the file, which may inhibit backup and other system management operations. As eryksun pointed out in the comments it might be better to just disable inheritance (turning inherited permissions into explicit permissions) and then replace the User ACE.
icacls \\$computer\C$\HOMEWARE\newFile.txt /reset
icacls \\$computer\C$\HOMEWARE\newFile.txt /inheritance:d /grant:r "Users:rx"
If you still want inherited permissions removed instead of converted to explicit permissions I would strongly recommend to additionally grant access for administrators and SYSTEM.
icacls \\$computer\C$\HOMEWARE\newFile.txt /reset
icacls \\$computer\C$\HOMEWARE\newFile.txt /inheritance:r /grant "Users:rx" "Administrators:f" "system:f"
I can't delete Cygwin in my Windows 10 setup. I narrowed it down and the file that's causing trouble is
C:\cygwin\usr\share\avogadro\crystals\zeolites\CON.cif
In my case why the cywin directory (folder) cannot be deleted was due to "access privilege". To delete the folder, the user needs to "take ownership" of this folder. It cannot be done easily in Windows GUI. It is, however, fairly easy to achieve in a command prompt window using three command lines.
I followed the steps posted in this link. Remeber to be very sure what you are doing. Take note that the command prompt DOS window must be opened as "administrator". What this link says:
Open DOS Window "cmd.exe" as "administrator". Issue to the command prompt the following lines:
takeown /f "c:\cygwin" /r /d Y
The last parameter makes takeown assume "yes" to all questions and depends on locale. In the author's locale he/she had to answer "J" to make it work.
icacls "c:\cygwin" /T /Q /C /reset
Finally, to delete the files after we got the relevant permissions:
rd "c:\cygwin" /s /q
This method should work as intended in Windows 7 and above. I tried it in Windows7-x64 and Windows10-x64.
Running the following in command prompt as Administrator helped me:
C:\>del \\?\C:\cygwin64\usr\share\avogadro\crystals\zeolites
\\?\C:\cygwin64\usr\share\avogadro\crystals\zeolites\*, Are you sure (Y/N)? Y
I know this is a bit late but I like it:
If you have Linux subsystem installed (I have Ubuntu 18.04), you can remove that file via bash without any of the above. Just do,
Win+r -> bash -> cd /mnt/c/cygwin64/usr/share/avogadro/crystals/zeolites -> rm CON.cif.
Problem with cmd.exe and explorer.exe are that they are Windows' programs, whereas bash is not. In a way, this is the same as Lucian's answer because it makes the computer consider the file as a regular file.
Here it worked referring to PowerShell To Set Folder Permissions:
replace <User_with_administrator>
$mypath = ".\cygwin64--TO-BE-DELETED"
$myacl = Get-Acl $mypath
$myaclentry = "<User_with_administrator>","FullControl","Allow"
$myaccessrule = New-Object System.Security.AccessControl.FileSystemAccessRule($myaclentry)
$myacl.SetAccessRule($myaccessrule)
Get-ChildItem -Path "$mypath" -Recurse -Force | Set-Acl -AclObject $myacl -Verbose
Then the .\cygwin64--TO-BE-DELETED can be deleted.
I'm trying to reset permissions for directories. I found icacls /reset, but that sets files to inherit from the "Parent Object" (directories work fine). Is there another tool, or another way to use icacls to set my files to inherit permissions from C:\Users\username, or D:\, or wherever the default is for new files in a location?
on a stand-alone instance of Windows [10] there are usually four groups:
NT AUTHORITY\SYSTEM
NT AUTHORITY\Authenticated Users
BUILTIN\Administrators
BUILTIN\Users
each file and each folder has access settings for each group:
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(M)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
in addition to that, each folder has inheritance settings for each group
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
the command icacls /reset will set the default ACL of a file or folder to whatever is inherited from the folder it is in
in order to reset a folder with all included files and subfolders to the default it will take three steps:
open elevated cmd (not PowerShell)
take ownership of all files and folders, if necessary (to be able to change ACLs in the first place)
set the correct ACLs of the topmost folder, including inheritance
reset the ACLs for everything below this topmost folder
Step by step:
take ownership with:
takeown.exe /d y /r /a /f <topmost_folder>
set the Windows default ACLs of the topmost folder with:
icacls <topmost_folder> /remove:d SYSTEM /grant SYSTEM:(OI)(CI)(IO)F
icacls <topmost_folder> /remove:d "Authenticated Users" /grant "Authenticated Users":(OI)(CI)(IO)M
icacls <topmost_folder> /remove:d Administrators /grant Administrators:(OI)(CI)(IO)F
icacls <topmost_folder> /remove:d Users /grant Users:(OI)(CI)(IO)(GR,GE)
note: /remove:d deletes all "deny" ACLs (which would override "grant" ACLs)
note: to replace the ACLs, instead of adding to them, use 'grant:r' instead of 'grant'
note: if you don't care for individual permissions and just want everyone to be able to access the files, use: icacls <topmost_folder> /remove:d Everyone /grant:r Everyone:F
reset ACLs for everything below the topmost folder to the ACLs of the topmost folder with:
icacls <topmost_folder> /reset /t /l /c /q
Hope that helps.
Besides Property -> Security of a folder/file, another way to do this is using Get-Acl and Set-Acl using PowerShell. Follow this guide: https://blogs.msdn.microsoft.com/johan/2008/10/01/powershell-editing-permissions-on-a-file-or-folder/
An easy way to see the Read/Write permissions on your files, I recommend this tool: https://learn.microsoft.com/en-us/sysinternals/downloads/accessenum
I recently upgraded to Windows 10 from 7 on all of my computers, I have 4. I use Cobian backup which used to work fine on windows 7 however on 10 the shares of the folders aren't set correctly and although they say they are shared they don't appear across the network so I cant back them up.
I have however found I can go into each folder and change the permissions manually and they do appear but the problem is I have around 500 folders so I wanted to know if there was a quick command or batch file that could be run to set sharing permissions to everyone for every folder in the parent folder so I don't have to do it individually?
Try toggling the inheritance on the main parent folder. The permissions should trickle down.
You can use the icacls to change the permissions, like
icacls "C:\myFolder" /grant Everyone:M
For changing permissions to all sub directories you can use a for loop and give folder name to the icacls command,
#echo off
set Dir=C:\FolderName
for /d /r "%Dir%" %%a in (*) do (
echo Setting permissions for %%~dpa Folder
icacls %%~dpa /grant Everyone:M
)
Adjust set Dir = C:\FolderName with your path (base Folder).
Using the command:
iCACLS.exe \\server\serverroot\siteroot /grant:r domain\id:RX /T /C
I can grant access to every file within the site root folder, but the folder itself does not receive the access. The problem being any new file that gets added lacks the read access until the command is run again. What am I not understanding?
The reason the folder itself does not receive the access is because I did not tell iCacls I wanted it to make the access inheritable. The command should be:
iCACLS.exe \\server\serverroot\siteroot /grant:r domain\id:(OI)(CI)(RX) /T /C
Does exactly what I need (and for predictable reasons. I like that.)