To totally unlock this section you need to Log-in
Login
Prior to Windows Vista, CACLS (Change Access Control Lists) was used to manage to complicated NTFS permissions, complement the Folder Options’ Security tab (available in Windows Explorer) which offers an easy way to make minor permissions tweaks.
Beginning from Windows Vista, including in Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and later Windows OS versions, CACLS which has drawback of difficult to use to set inherited permissions on a folder is been deprecated and been replaced with iCACLS.
The following table will group all tools available, in different Windows OSes, to set permissions:
Solution | Applicable to | Comments |
Cacls.exe | Folder/File | Deprecated component, may be buggy. Should not be used on Windows 7. |
xCacls.exe | Folder/File | Deprecated component, may be buggy. Should not be used on Windows 7. |
iCacls.exe | Folder/File | Will require to be set via a script e.g. custom action. Is part of the Windows 7 OS. Offers extra granularity. |
Regini.exe | Registry | Cannot apply explicit Deny permissions |
SetACL.exe | Folder/File /Registry | This is not part of the OS and is a third party solution. |
LockPermissions | Folder/File/Registry | Overwrites existing permissions and all inherited permissions, does not append. Due to this, solution requires careful planning. |
MsiLockPermissionsEx | Folder/File /Registry | Overwrites existing permissions but will not overwrite existing inherited permissions. Can only set permissions on components which are part of the package. Will only work on Windows 7 as it requires Windows Installer 5.0 or later |
SecEdit.exe | Folder/File /Registry | Will require custom action template and standards to be applied. |
iCACLS expands the capabilities of CACLS to be able to display, modify, backup or restore contents of discretionary ACLs for files and directories. iCACLS command line utility also able to show and set mandatory labels of an object for interaction with WIC (Windows Integrity Control) which most noticeable in the Internet Explorer Protected Mode which automatically low integrity to Internet objects to protect the operating system from malicious web content in Internet Explorer.
iCACLS syntaxes, parameters or switches list
- ICACLS name /save aclfile [/T] [/C] [/L] [/Q]: store the the acls for the all matching names into aclfile for later use with /restore.
- ICACLS directory [/substitute SidOld SidNew […]] /restore aclfile [/C] [/L] [/Q]: applies the stored acls to files in directory.
- ICACLS name /setowner user [/T] [/C] [/L] [/Q]: changes the owner of all matching names.
- ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]: finds all matching names that contain an ACL explicitly mentioning Sid.
- ICACLS name /verify [/T] [/C] [/L] [/Q]: finds all files whose ACL is not in canonical for or whose lengths are inconsistent with ACE counts.
- ICACLS name /reset [/T] [/C] [/L] [/Q]: replaces acls with default inherited acls for all matching files.
ICACLS name [/grant[:r] Sid:perm[…]] [/deny Sid:perm […]] [/remove[:g|:d]] Sid[…]] [/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy[…]]:
- /grant[:r] Sid:perm grants the specified user access rights. With :r, the permissions replace any previouly granted explicit permissions. Without :r, the permissions are added to any previously granted explicit permissions.
- /deny Sid:perm explicitly denies the specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.
- /remove[:[g|d]] Sid removes all occurrences of Sid in the acl. With :g, it removes all occurrences of granted rights to that Sid. With :d, it removes all occurrences of denied rights to that Sid.
- /setintegritylevel [(CI)(OI)]Level explicitly adds an integrity ACE to all matching files. The level is to be specified as one of: L[ow], M[edium], H[igh]. NOTE: Inheritance options for the integrity ACE may precede the level and are applied only to directories.
NOTE: Sids may be in either numerical or friendly name form. If a numerical form is given, affix a * to the start of the SID.
- /T indicates that this operation is performed on all matching files/directories below the directories specified in the name.
- /C indicates that this operation will continue on all file errors. Error messages will still be displayed.
- /L indicates that this operation is performed on a symbolic link itself versus its target.
- /Q indicates that icacls should supress success messages.
ICACLS preserves the canonical ordering of ACE entries:
- Explicit denials
- Explicit grants
- Inherited denials
- Inherited grants
perm
perm is a permission mask and can be specified in one of two forms:
A sequence of simple rights:
F – full access M – modify access RX – read and execute access R – read-only access W – write-only access
A comma-separated list in parenthesis of specific rights:
D – delete RC – read control WDAC – write DAC WO – write owner S – synchronize AS – access system security MA – maximum allowed GR – generic read GW – generic write GE – generic execute GA – generic all RD – read data/list directory WD – write data/add file AD – append data/add subdirectory REA – read extended attributes WEA – write extended attributes X – execute/traverse DC – delete child RA – read attributes WA – write attributes
Inheritance rights may precede either form and are applied only to directories:
(OI) – object inherit (CI) – container inherit (IO) – inherit only (NP) – don’t propagate inherit
Examples
icacls c:\windows\* /save AclFile /T
Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.
icacls c:\windows\ /restore AclFile
Will restore the Acls for every file within AclFile that exists in c:\windows and its subdirectories.
icacls file /grant Administrator:(D,WDAC)
Will grant the user Administrator Delete and Write DAC permissions to file.
icacls file /grant *S-1-1-0:(D,WDAC)
Will grant the user defined by sid S-1-1-0 Delete and Write DAC permissions to file.
icacls c:\windows\explorer.exe
View the discretionary access list and integrity level.
icacls file /setintegritylevel H
Modify mandatory integrity level of an object to High.
NTFS Permission Tools
Usually, in Microsoft Windows you can set permissions on files and folders from the Security tab in Properties.
A simpler UI appears when you click the Edit button. If you want to change the Owner or adjust permissions on a more fine-grained level, you can click the Advanced button to bring up the Advanced Security Settings dialog.
However, in newer releases of Windows, the problem is that the Security tab only appears if the Properties for a single folder or single file are open. If you select multiple files or multiple folders and collectively try to set permissions on them, you will see that there is no Security tab at all. Instead, Microsoft wants you to use the command line tool, icacls.exe, which is very powerful but very inconvenient most times.
A useful third party freeware app, called NTFS Permissions Tools comes with an easy to use GUI for setting permissions and changing ownership on multiple files. It goes further than what Windows allows from its GUI and allows backing up permissions to a file from which it can restore them later. Or you can simply copy the permissions or all security settings on an object and paste them to another object. This is a very useful function because in Windows, various different rules apply when you copy or move files.
- When you copy or move an object to a different folder on the same volume (drive), the original permissions are retained, that is, the object preserves its permissions by default.
- When you copy or move an object to another volume (drive), the object inherits the permissions of its new parent folder.
- However while copying or moving items, Windows offers you no easy control over this. NTFS Permissions Tools takes the pain out of this entirely because it can copy and paste permissions separate from the object itself.
When you open it, it will ask for UAC elevated permissions. Click Yes. The program has 1-click buttons to set Allow, Deny or Read-only permissions.
It has two modes of operation. Edit Mode and Browse Mode. In Edit mode, you simply drag and drop any files and folders whose permissions you want to modify, inside its window.
In Browse mode, you can browse files and folders like a file manager does. You can select a single file or folder or you can select multiple files and folders. Then you can right click on the selected items under any column and change the permissions, accounts and Owner.
Clicking the Advanced button brings up a Windows-like interface for doing all the advanced tasks such as adjusting inheritable permissions, replacing child object permissions, selecting users or groups etc.
You can also create NULL or empty Discretionary Access Control Lists (DACLs) on an object by right clicking it and selecting "Empty Access Control List". Null DACLs grant full access to anyone who can access the object. An empty DACL does not grant access to the object until the owner of the object assigns permissions.
Copying and pasting permissions
Right click any item whose permissions you want to copy and click "Copy Permissions" or "Copy Security Settings". The difference between the two is that the former only copies Allow/Read-Only/Deny permissions, whereas the latter copies the Owner as well. The program doesn't yet support copying Auditing permissions, so for configuring those you will have to use the Windows native permissions dialogs.
Conclusion
NTFS Permissions Tools is a must-have application for every system administrator or IT pro. Given the number of times you have to deal with permissions in newer releases of Windows when accessing another user's files, end users will find it useful too. You can reduce your usage of icacls for the tasks it supports, although for some activities like finding Security IDs, setting integrity level etc, icacls will still be required.
Download
Here you can download the NTFS Permission Tools, version 1.3 (the latest), hosted on Heelpbook.net. However you will need to register and login on Heelpbook.net to see and download it (it's totally free).
[wpfilebase tag="file" id="262"]