Windows 10: Icacls command usage ?

Page 1 of 2 12 LastLast
  1.    26 Dec 2015 #1

    Icacls command usage ?

    Anyone familier with the Icacls command ?

    I want to do is make strictly a sub-folder located in Program Files have write access, then turn it off, either if possible, via a timer which I don't think is possible with the command. Or manually turn off write access.

    I understand the first part of the command; the grant command is where I get lost ?

    icacls <Directory> /grant ?
      My ComputerSystem Spec

  2.    26 Dec 2015 #2

    To grant authority you could use this command. The (F) means Full rights, see icacls /? for other values, %USERDOMAIN%\%USERNAME% will automatically be replaced with details of the user running the command
    takeown  /f  "C:\Program Files\Whatever" /r
    icacls       "C:\Program Files\Whatever" /grant "%USERDOMAIN%\%USERNAME%":(F) /t
    to remove this authority (the :g indicates explicit granted authorities for current user will be removed)
    icacls       "C:\Program Files\Whatever" /remove:g "%USERDOMAIN%\%USERNAME%" /t
    You could put these commands in batch files and schedule them using task scheduler if you wanted (although I don't understand why you want to do this really so not sure this would be what you want)
      My ComputerSystem Spec

  3.    26 Dec 2015 #3

    I must first use the takeown command ? The /r flag is read-only ? I understand one must specify the user to grant access too, but two questions remain;
    How can I find the correct path for the user and or userdomain, if the userdomain is applicable on the computer ?
    What is the colon(F) do after the domain ?
      My ComputerSystem Spec

  4.    27 Dec 2015 #4

    You may need to take ownership first - it depends on the initial authority. You can try icacls on its own - it will tell you if you aren't authorized.

    If you enter %USERDOMAIN%\%USERNAME% it will be changed automatically to your user name (and domain or computer name) so you can enter the command as shown - you don't need to put in your name
    C:\Windows\system32>echo %userdomain%\%username%
    The (F) after the colon means full control. If you wanted different authorities you could change this - from icacls /?
       perm is a permission mask and can be specified in one of two forms:
            a sequence of simple rights:
                    N - no access
                    F - full access
                    M - modify access
                    RX - read and execute access
                    R - read-only access
                    W - write-only access
                    D - delete access
            a comma-separated list in parentheses of specific rights:
                    DE - delete
                    RC - read control
                    WDAC - write DAC
                    WO - write owner
                    S - synchronize
                    AS - access system security
                    MA - maximum allowed
                    GR - generic read
                    GW - generic write
                    GE - generic execute
                    GA - generic all
                    RD - read data/list directory
                    WD - write data/add file
                    AD - append data/add subdirectory
                    REA - read extended attributes
                    WEA - write extended attributes
                    X - execute/traverse
                    DC - delete child
                    RA - read attributes
                    WA - write attributes
    So if you wanted to explicitly set write access only it would be
    C:\Windows\system32>icacls "c:\temp" /grant "%USERDOMAIN%\%USERNAME%":(W) /t
    processed file: c:\temp
    Successfully processed 1 files; Failed processing 0 files
    The /t at the end means apply to all files and folders contained in the specified path (rather than just the folder object itself).
      My ComputerSystem Spec

  5.    27 Dec 2015 #5

    I found out you can simply type icacls {name of directory} and icacls will list permissions etc, which worked on a simple directory, new to me probably not news to you :)

    If you enter %USERDOMAIN%\%USERNAME% it will be changed automatically to your user name (and domain or computer name) so you can enter the command as shown - you don't need to put in your name
    Ah alright :)
      My ComputerSystem Spec

  6.    27 Dec 2015 #6

    Sounds like you need to put the path in quotes "C:\Program Files(x86)\whatever\nested level you\want" as there is a space between the word 'Program' and the word 'Files'. It would therefore think that the path was C:\Program and files was a parameter.

    If it is not this post the exact command you are trying..

    EDIT - I seem to be replying to a question that is gone :)
      My ComputerSystem Spec

  7.    27 Dec 2015 #7

    Why must you put, for like in your example (W) in brackets ?
      My ComputerSystem Spec

  8.    27 Dec 2015 #8

    JerometheGiraff said: View Post
    Why must you put, for like in your example (W) in brackets ?
    It is the authority you are assigning. See post #4.

    You shouldn't have to change authorities in Program Files directory normally - you must have some oddly written program...
      My ComputerSystem Spec

  9.    27 Dec 2015 #9

    I ran this command on a four level deep sub-folders within Program Files (x86)
    /grant everyone (f) /t /c
    It worked although two errors for two files, how do I find what those two files are that created the error ?

    I was able to successfully write to the sub-folder within Program Files (x86) and that is exactly what the command listed in the command prompt; although I realized, I was able to write to all the folders within Program Files (x86) instead of explicitly being granting access to only the four level deep sub-folder in Program Files (x86) ?

    If I wanted to revert back to the previous privileges I must use the /remove command ?

    [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
    I don't understand in the icacls help, /remove then :g & :d removes all occurrences of granted rights to the Sid ?
      My ComputerSystem Spec

  10.    27 Dec 2015 #10

    JerometheGiraff said: View Post
    I don't understand in the icacls help, /remove then :g & :d removes all occurrences of granted rights to the Sid ?
    if you had granted rights with /grant then you remove them with /remove:g

    if you had set explicit deny rights with /deny you would remove them with /remove:d
      My ComputerSystem Spec

Page 1 of 2 12 LastLast

Related Threads
Performance & Maintenance Run SFC Command in Windows 10 in Tutorials
How to Repair System Files with SFC Command in Windows 10 The SFC command scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions. This tutorial will show you how to run the sfc...
I was wondering why file not found would occur when I try to access a DIR command on a directory.:rolleyes: DIR name >> file.txt Sincerely, Bash
Anyone figured out a use for the Opacity setting for Command Prompt on the Experimental tab? I've tried it at many different settings and I just can't see a use for it.
Solved Command Prompt in General Support
How to call up "command Prompt (Admin) from the "run" dialog box win 10 Home?
Command Prompt? in General Support
Guys, I'm going to try one last time. The error code I received told to me to empty files and then "Run the command prompt as an administrator"?? Then, type wuauclt.exe/update now??......I don't know what run the command prompt means. I have no...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 16:11.
Find Us