You are currently offline, waiting for your internet to reconnect

The Icacls.exe utility is available for Windows Server 2003 with Service Pack 2

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

SUMMARY
This article describes the Icacls.exe command-line utility. You can use this utility to modify NTFS file system permissions on a computer that is running Microsoft Windows Server 2003 with Service Pack 2 (SP2).

Currently, you can use the Xcacls.exe utility, the Cacls.exe utility, and the Xcacls.vbs utility to modify NTFS permissions in Windows Server 2003. The Icacls.exe utility is an alternative option for modifying NTFS permissions. The Icacls.exe utility resolves various issues that occur when you use the existing utilities.

The Icacls.exe utility is included in Windows Vista and in Windows Server 2003 SP2.
MORE INFORMATION
To install the Icacls.exe utility, install the latest service pack for Windows Server 2003. For more information about how to install the latest service pack for Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

Syntax for the Icacls.exe utility

To see the following syntax information, type icacls.exe /? at a command prompt.
ICACLS name /save aclfile [/T] [/C]    store the acls for all matching names into aclfile for    later use with /restore.ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile [/C]    applies the stored acls to files in directory.ICACLS name /setowner user [/T] [/C]    changes the owner of all matching names.ICACLS name /findsid Sid [/T] [/C]    finds all matching names that contain an ACL    explicitly mentioning Sid.ICACLS name /verify [/T] [/C]    finds all files whose ACL is not in canonical form or whose    lengths are inconsistent with ACE counts.ICACLS name /resize [/T] [/C] [/L]    changes incorrect recorded lengths of ACLs to true lengths.ICACLS name /reset [/T] [/C]    replaces acls with default inherited acls for all matching files.ICACLS name [/grant[:r] Sid:perm[...]]       [/deny Sid:perm [...]]       [/remove[:g|:d]] Sid[...]] [/T] [/C]    /grant[:r] Sid:perm grants the specified user access rights. With :r,        the permissions replace any previously granted explicit permissions.        Without :r, the permissions are added to any previously granted        explicit permissions.    /deny Sid:perm explicitly denies the specified user access rights.        An explicit deny ACE is added for the stated permissions and        the same permissions in any explicit grant are removed.    /remove[:[g|d]] Sid removes all occurrences of Sid in the acl. With        :g, it removes all occurrences of granted rights to that Sid. With        :d, it removes all occurrences of denied rights to that Sid.Note:    Sids may be in either numeric or friendly name form. If a numeric    form is given, affix a * to the start of the SID.    /T indicates that this operation is performed on all matching        files/directories below the directories specified in the name.    /C indicates that this operation will continue on all file errors.        Error messages will still be displayed.    ICACLS preserves the canonical ordering of ACE entries:            Explicit denials            Explicit grants            Inherited denials            Inherited grants    perm is a permission mask and can be specified in one of two forms:        a sequence of simple rights:                F - full access                M - modify access                RX - read and execute access                R - read-only access                W - write-only access        a comma-separated list in parentheses of specific rights:                D - delete                RC - read control                WDAC - write DAC                WO - write owner                S - synchronize                AS - access system security                MA - maximum allowed                GR - generic read                GW - generic write                GE - generic execute                GA - generic all                RD - read data/list directory                WD - write data/add file                AD - append data/add subdirectory                REA - read extended attributes                WEA - write extended attributes                X - execute/traverse                DC - delete child                RA - read attributes                WA - write attributes        inheritance rights may precede either form and are applied        only to directories:                (OI) - object inherit                (CI) - container inherit                (IO) - inherit only                (NP) - don't propagate inheritExamples:        icacls c:\windows\* /save AclFile /T        - Will save the ACLs for all files under c:\windows          and its subdirectories to AclFile.        icacls c:\windows\ /restore AclFile        - Will restore the Acls for every file within          AclFile that exists in c:\windows and its subdirectories        icacls file /grant Administrator:(D,WDAC)        - Will grant the user Administrator Delete and Write DAC          permissions to file        icacls file /grant *S-1-1-0:(D,WDAC)        - Will grant the user defined by sid S-1-1-0 Delete and          Write DAC permissions to file

Other available utilities to modify NTFS permissions

For more information about other utilities that you can use to modify NTFS permissions, click the following article numbers to view the articles in the Microsoft Knowledge Base:
318754 How to use Xcacls.exe to modify NTFS permissions
135268 How to use Cacls.exe in a batch file
825751 How to use Xcacls.vbs to modify NTFS permissions
cacls xcacls ACL ntfs icacls subinacl security
Properties

Article ID: 919240 - Last Review: 10/09/2011 02:58:00 - Revision: 4.0

Microsoft Windows Server 2003, Enterprise x64 Edition, Microsoft Windows Server 2003, Standard x64 Edition, Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Web Edition, Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86), Microsoft Windows Server 2003 R2 Datacenter x64 Edition, Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86), Microsoft Windows Server 2003 R2 Enterprise x64 Edition, Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86), Microsoft Windows Server 2003 R2 Standard x64 Edition, Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter x64 Edition, Microsoft Windows XP Professional x64 Edition

  • kbwinserv2003presp2fix kbexpertiseinter kbfix kbqfe KB919240
Feedback
=4050&did=1&t=">m.content='true';document.getElementsByTagName('head')[0].appendChild(m);" onload="var m=document.createElement('meta');m.name='ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="http://c1.microsoft.com/c.gif?"> html>