In this article, we will learn how to set or reset NTFS permissions of a file or folder in a Windows operating system, with icacls command.
It can happen that, in some cases, we may lose sight of files or directories permissions, and when we try to access a specific file we have no result because we don’t have the rights to do so.
Or we may have to run a software that, for permission issue, does not work as it should.
We may also need to access a file that came from an old backup or another computer and was therefore created with a different user; even then, it will not be possible to access it.
In all these cases, Icacls command comes to help.
What is Icacls?
Icacls is the replacement for cacls (Change Access Control Lists), a command-line utility that allows you to show and perform some operations on ACL for files or directories.
ACL (Access Control List) is a list of permissions for a filesystem object and defines how its security is controlled by managing who and how it can be accessed.
Actually, operations on ACL are not the only ones possible with this tool.
What makes it a powerful tool is also the ability to perform backup and restore operations on ACL for files or directories, or to search for files that have a specific user as owner.
And in addition, in the event that an ACL is damaged or destroyed, with icacls you can restore it by resetting it and setting default permissions or inheriting those of the parent.
Icacls: the reset and grant functions
Icacls is a native Windows command that runs on Windows Vista, Windows 7, Windows 8 and Windows 10.
Imagine that we have an external hard disk on which a study made in 2018 was stored, and we want to recover it, but we do not have complete control.
As soon as we try to open the folder, we will have the following alert message.
One solution is, therefore, to use the reset function of Icacls.
But pay attention to the following steps.
Let’s open the command terminal in administrator mode.
Let’s move to the folder and type the reset command as follows:
$> icacls * /t /q /c /reset
And again, we’ll have “Access is denied” as a response.
We must therefore first become the owner of the folder with the takeown command:
$> takeown / R / F *
By clicking Yes, you will now have a reset of ACL, and the permission state will be as follows:
Now, imagine being in the following situation:
Only the user named Peter has access to the folder, and we want to give grants also to the federica user.
With the previous command, we can become the owner of the folder
$> takeown / R / F *
and then type the following command:
$> icacls "E:\Study2018" /t /grant:F
In this case, I have inserted the options /t, that means recursive, and F that means “full access” for the user on which we want to give grants.
For more options, see the official page.
Other icacls functions
If you need to save ACLs in a file for a later restore, you can do by using a couple of “save and restore” commands.
A very simple operation from a point of view: information about the ACLs are saved in a file that can be used in case of need to restore a previous situation.
However, it should be noted that data on access rights, especially in shared folders, can be very variable over time.
We could then find ourselves in a situation where we are going to restore a situation that is different from reality or even inconsistent.
Moreover, the file that is created, openable and readable with a common text editor, seems to be a Unicode text.
But beware, because it isn’t.
Open the file and save it with some changes will make it unusable in Restore operations.
The couple of “save and restore” commands is as follows:
icacls FILE_O_DIRECTORY /save aclfile /t
You will immediately notice a difference between the two commands.
The save command can be executed both on file and on directories (FILE_O_O_DIRECTORY must be replaced with the name of the file or directory for which we want to save the ACL).
While the restore command only works on directories.
An example of use is as follows:
E:\> icacls filediprova.txt /save aclfile /t
E:\>icacls . /restore aclfile
As you can see, in restore command case we will not use filediprova.txt but the directory in which it is contained.
In Windows systems, the ability managing access control lists is a strength that allows users and processes to make the best use of resources.
In some cases, it can be complicated, but with icacls tool, we can have many functions that help to ensure security.