Icacls command usage ?

Page 1 of 2 12 LastLast

  1. Posts : 98
    Windows10
       #1

    Icacls command usage ?


    Anyone familier with the Icacls command ?

    I want to do is make strictly a sub-folder located in Program Files have write access, then turn it off, either if possible, via a timer which I don't think is possible with the command. Or manually turn off write access.

    I understand the first part of the command; the grant command is where I get lost ?

    icacls <Directory> /grant ?
      My Computer


  2. Posts : 5,478
    2004
       #2

    To grant authority you could use this command. The (F) means Full rights, see icacls /? for other values, %USERDOMAIN%\%USERNAME% will automatically be replaced with details of the user running the command
    Code:
    takeown  /f  "C:\Program Files\Whatever" /r
    icacls       "C:\Program Files\Whatever" /grant "%USERDOMAIN%\%USERNAME%":(F) /t
    to remove this authority (the :g indicates explicit granted authorities for current user will be removed)
    Code:
    icacls       "C:\Program Files\Whatever" /remove:g "%USERDOMAIN%\%USERNAME%" /t
    You could put these commands in batch files and schedule them using task scheduler if you wanted (although I don't understand why you want to do this really so not sure this would be what you want)
      My Computer


  3. Posts : 98
    Windows10
    Thread Starter
       #3

    I must first use the takeown command ? The /r flag is read-only ? I understand one must specify the user to grant access too, but two questions remain;
    How can I find the correct path for the user and or userdomain, if the userdomain is applicable on the computer ?
    What is the colon(F) do after the domain ?
      My Computer


  4. Posts : 5,478
    2004
       #4

    You may need to take ownership first - it depends on the initial authority. You can try icacls on its own - it will tell you if you aren't authorized.

    If you enter %USERDOMAIN%\%USERNAME% it will be changed automatically to your user name (and domain or computer name) so you can enter the command as shown - you don't need to put in your name
    Code:
    C:\Windows\system32>echo %userdomain%\%username%
    WINDOWS-VM2\Hali
    
    C:\Windows\system32>
    The (F) after the colon means full control. If you wanted different authorities you could change this - from icacls /?
    Code:
       perm is a permission mask and can be specified in one of two forms:
            a sequence of simple rights:
                    N - no access
                    F - full access
                    M - modify access
                    RX - read and execute access
                    R - read-only access
                    W - write-only access
                    D - delete access
            a comma-separated list in parentheses of specific rights:
                    DE - delete
                    RC - read control
                    WDAC - write DAC
                    WO - write owner
                    S - synchronize
                    AS - access system security
                    MA - maximum allowed
                    GR - generic read
                    GW - generic write
                    GE - generic execute
                    GA - generic all
                    RD - read data/list directory
                    WD - write data/add file
                    AD - append data/add subdirectory
                    REA - read extended attributes
                    WEA - write extended attributes
                    X - execute/traverse
                    DC - delete child
                    RA - read attributes
                    WA - write attributes
    So if you wanted to explicitly set write access only it would be
    Code:
    C:\Windows\system32>icacls "c:\temp" /grant "%USERDOMAIN%\%USERNAME%":(W) /t
    processed file: c:\temp
    Successfully processed 1 files; Failed processing 0 files
    
    C:\Windows\system32>
    The /t at the end means apply to all files and folders contained in the specified path (rather than just the folder object itself).
      My Computer


  5. Posts : 98
    Windows10
    Thread Starter
       #5

    I found out you can simply type icacls {name of directory} and icacls will list permissions etc, which worked on a simple directory, new to me probably not news to you :)

    If you enter %USERDOMAIN%\%USERNAME% it will be changed automatically to your user name (and domain or computer name) so you can enter the command as shown - you don't need to put in your name
    Ah alright :)
      My Computer


  6. Posts : 5,478
    2004
       #6

    Sounds like you need to put the path in quotes "C:\Program Files(x86)\whatever\nested level you\want" as there is a space between the word 'Program' and the word 'Files'. It would therefore think that the path was C:\Program and files was a parameter.

    If it is not this post the exact command you are trying..

    EDIT - I seem to be replying to a question that is gone :)
      My Computer


  7. Posts : 98
    Windows10
    Thread Starter
       #7

    Why must you put, for like in your example (W) in brackets ?
      My Computer


  8. Posts : 5,478
    2004
       #8

    JerometheGiraff said:
    Why must you put, for like in your example (W) in brackets ?
    It is the authority you are assigning. See post #4.

    You shouldn't have to change authorities in Program Files directory normally - you must have some oddly written program...
      My Computer


  9. Posts : 98
    Windows10
    Thread Starter
       #9

    I ran this command on a four level deep sub-folders within Program Files (x86)
    /grant everyone (f) /t /c
    It worked although two errors for two files, how do I find what those two files are that created the error ?

    I was able to successfully write to the sub-folder within Program Files (x86) and that is exactly what the command listed in the command prompt; although I realized, I was able to write to all the folders within Program Files (x86) instead of explicitly being granting access to only the four level deep sub-folder in Program Files (x86) ?

    If I wanted to revert back to the previous privileges I must use the /remove command ?

    [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
    I don't understand in the icacls help, /remove then :g & :d removes all occurrences of granted rights to the Sid ?
      My Computer


  10. Posts : 5,478
    2004
       #10

    JerometheGiraff said:
    I don't understand in the icacls help, /remove then :g & :d removes all occurrences of granted rights to the Sid ?
    if you had granted rights with /grant then you remove them with /remove:g

    if you had set explicit deny rights with /deny you would remove them with /remove:d
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:02.
Find Us




Windows 10 Forums