How can I grant permissions to a user on a directory (Read, Write, Modify) using the Windows command line?
20 Answers
As of Vista, cacls
is deprecated. Here's the first couple of help lines:
C:\>cacls
NOTE: Cacls is now deprecated, please use Icacls.
Displays or modifies access control lists (ACLs) of files
You should use icacls
instead. This is how you grant John full control over D:\test
folder and all its subfolders:
C:\>icacls "D:\test" /grant John:(OI)(CI)F /T
According do MS documentation:
F
= Full ControlCI
= Container Inherit - This flag indicates that subordinate containers will inherit this ACE.OI
= Object Inherit - This flag indicates that subordinate files will inherit the ACE./T
= Apply recursively to existing files and sub-folders. (OI
andCI
only apply to new files and sub-folders). Credit: comment by @AlexSpence.
For complete documentation, you may run "icacls
" with no arguments or see the Microsoft documentation here and here
-
4Felipe: The (OI) and (CI) parameters make this recursive Commented Dec 18, 2013 at 1:21
-
25I had issues with access denied trying to change permissions in the windows explorer UI. Adding the /T flag to the end replaced existing objects and was able to solve the problem for me. C:>icacls "D:\test" /grant John:(OI)(CI)F /T Commented Jul 1, 2014 at 3:56
-
13@AlexSpence Great point! The /T is needed to update the permissions of existing files and folders. The (OI) and (CI) only applies to files and folders created in the future.– JesseCommented Dec 11, 2014 at 14:35
-
7Coming from the *nix world and being used to 'chown/chmod' to give access and set permissions via the CLI, this thread has been very helpful.– bgarlockCommented Oct 27, 2015 at 14:40
-
10If you run this in Powershell in Windows 10, you will get the error about "OI not recognized". Solution: Put the user+perms argument in quotes. For example:
C:\>icacls "D:\test" /grant "John:(OI)(CI)F" /T
– JDSCommented Jan 8, 2018 at 16:56
You can also use ICACLS.
To grant the Users group Full Control to a folder:
>icacls "C:\MyFolder" /grant Users:F
To grant Modify permission to IIS users for C:\MyFolder
(if you need your IIS has ability to R/W files into specific folder):
>icacls "C:\MyFolder" /grant IIS_IUSRS:M
If you do ICACLS /? you will be able to see all available options.
-
And given that
cacls
is gone, it's even more reason to use icacls.– Ian BoydCommented Nov 29, 2012 at 20:52 -
5Adding full control didn't worked for me until
/grant Users:(OI)(CI)F
used Commented Sep 15, 2014 at 10:52 -
Do I need to replace
Users
with something else or NO ? According toicacls "C:\MyFolder" /grant Users:F
– ioriCommented Jan 13, 2015 at 16:00 -
1If the current user is a member of the user group named "Users" (which, on Windows 7, is normally the case), then granting a permission to that group will affect the access rights of the current user. In any other case, replace the name Users with the actual name of the current user (e.g. John), thus: /grant John:(OI)(CI)F– Ed999Commented Nov 6, 2018 at 5:49
Open a Command Prompt, then execute this command:
icacls "c:\somelocation\of\path" /q /c /t /grant Users:F
F
gives Full Access.
/q /c /t
applies the permissions to subfolders.
Note: Sometimes "Run as Administrator" will help.
-
3
-
Hi, I would like to set least permission for one user. For example, we have one application in Windows Server. So this user just need to access this application than any other services. Like user should not access any browser, should not access any file explorer, should not access any disk storage. This user should access just one stand-alone application. Is possible to do this case using windows command or any script in windows server? Commented Oct 14, 2020 at 6:05
Use cacls
command. See information here.
CACLS files /e /p {USERNAME}:{PERMISSION}
Where,
/p : Set new permission
/e : Edit permission and kept old permission as it is i.e. edit ACL instead of replacing it.
{USERNAME} : Name of user
{PERMISSION} : Permission can be:
R - Read
W - Write
C - Change (write)
F - Full control
For example grant Rocky Full (F) control with following command (type at Windows command prompt):
C:> CACLS files /e /p rocky:f
Read complete help by typing following command:
C:> cacls /?
-
1Great answer! Only thing to note, is that files is the actual files you want to change the permissions on. Maybe [files] or {files} would be a better explanation. Commented Jan 30, 2013 at 16:59
-
cacls
is relevant; it is still available inWindows 10
; Microsoft would deprecatecmd.exe
in favour of Powershell too.– user4104817Commented May 25, 2017 at 14:47 -
1@Chinggis6 Being "still available" doesn't mean something is a good idea to use or recommend others to use. Also,
cmd.exe
is not deprecated and is not likely to be, so that's not a point in favour oficacls
at all, quite the opposite. Commented Jun 29, 2017 at 15:05 -
1I know. I didn't state if it's a good idea to use or recommend
cacls.exe
. Neither did I mention thatcmd.exe
is already deprecated. I think people should at least be aware of its availability in higher versions even only for backward-compatibility or any other reason else.– user4104817Commented Jun 29, 2017 at 15:24 -
1Plus one for including the /e parameter to edit rather than replace the permissions on the files– MickCommented Feb 13, 2019 at 6:47
I try the below way and it work for me:
- open
cmd.exe
takeown /R /F *.*
icacls * /T /grant [username]:(D)
So that the files can become my own access and it assign to "Delete" and then I can delete the files and folders.
Corrupt Permissions: Regaining access to a folder and its sub-objects
Although most of the answers posted in reply to the question have some merit, IMHO none of them give a complete solution. The following (might be) a perfect solution for Windows 7 if you are locked-out of a folder by corrupted permission settings:
icacls "c:\folder" /remove:d /grant:r Everyone:(OI)(CI)F /T
For Windows 10 the user/SID must be specified after the /remove:d
option:
icacls "c:\folder" /remove:d Everyone /grant:r Everyone:(OI)(CI)F /T
.
Notes:
The command is applied to the specified directory.
Specifying the user "Everyone" sets the widest possible permission, as it includes every possible user.
The option "/remove:d" deletes any explicit DENY settings that may exist, as those override explicit ALLOW settings: a necessary preliminary to creating a new ALLOW setting. This is only a precaution, as there is often no DENY setting present, but better safe than sorry.
The option "/grant" creates a new ALLOW setting, an explicit permission that replaces (":r") any and all explicit ALLOW settings that may exist.
The "F" parameter (i.e. the permission created) makes this a grant of FULL control.
The "/T" parameter adds recursion, applying these changes to all current sub-objects in the specified directory (i.e. files and subfolders), as well as the folder itself.
The "(OI)" and "(CI)" parameters also add recursion, applying these changes to sub-objects created subsequently.
.
ADDENDUM (2019/02/10) -
The Windows 10 command line above was kindly suggested to me today, so here it is. I haven't got Windows 10 to test it, but please try it out if you have (and then will you please post a comment below).
The change only concerns removing the DENY setting as a first step. There might well not be any DENY setting present, so that option might make no difference. My understanding is, on Windows 7, that you don't need to specify a user after /remove:d but I might be wrong about that!
.
ADDENDUM (2019/11/21) -
User astark recommends replacing Everyone with the term *S-1-1-0 in order for the command to be language independent. I only have an English install of Windows, so I can't test this proposal, but it seems reasonable.
-
No provision is needed for INHERITED permissions, because EXPLICIT permissions override them. So, creation of the new explicit setting nullifies any inherited settings that may exist (because the new explicit setting includes recursion).– Ed999Commented Mar 19, 2018 at 8:57
-
1
-
I am running (can only run) icacls.exe on Windows 7. I cannot comment on, nor test for, any changes to it which might exist on Windows 8 or 10. As tested by me on Windows 7 64-bit, the remove option is effective to remove DENY settings. Its use might result in an error message if there are NO deny settings present, but if there are none such then it can't remove them anyway.– Ed999Commented Nov 6, 2018 at 4:57
-
Failure to reproduce exactly the command line in my original answer (save for the directory path) will result in the command failing. In particular, do NOT add any quotation marks that do not feature in my answer. If you encase (for example) the /remove:d option in quotes, the command will of course fail.– Ed999Commented Nov 6, 2018 at 5:27
-
1@DFSFOT Well, I sympathise. But I use Windows 7. With the grace of God, I will never use Windows 10. I'd rather migrate to Ubuntu! I suspect that /remove:g will probably remove all rights, both the ALLOW and the DENY entries (though with a possibility that 'granted' in this context means only ALLOW and so it will not process any DENY entries); whereas /remove:d will presumably only remove the DENY entries, leaving any ALLOW entries unchanged. But of course I cannot be sure.– Ed999Commented Nov 12, 2018 at 2:36
I struggled with this for a while and only combining the answers in this thread worked for me (on Windows 10):
1. Open cmd or PowerShell and go to the folder with files
2. takeown /R /F .
3. icacls * /T /grant dan:F
Good luck!
With an Excel vba script to provision and create accounts. I was needing to grant full rights permissions to the folder and subfolders that were created by the tool using our administrators 'x' account to our new user.
cacls looked something like this: cacls \FileServer\Users\Username /e /g Domain\Username:C
I needed to migrate this code to Windows 7 and beyond. My solution turned out to be:
icacls \FileServer\Users\Username /grant:r Domain\Username:(OI)(CI)F /t
/grant:r - Grants specified user access rights. Permissions replace previously granted explicit permissions. Without :r, permissions are added to any previously granted explicit permissions
(OI)(CI) - This folder, subfolders, and files.
F - Full Access
/t - Traverse all subfolders to match files/directories.
What this gave me was a folder on this server that the user could only see that folder and created subfolders, that they could read and write files. As well as create new folders.
Just in case there is anyone else that stumbles on this page, if you want to string various permissions together in the one command, I used this:
icacls "c:\TestFolder" /grant:r Test_User:(OI)(CI)(RC,RD,RX)
Note the csv string for the various permissions.
-
Thank you much. It helped me to set the permission for RX & RD. In most of the example given in the Internet was explained with /F full permission, Which should not be case.– ManiCommented Aug 5, 2015 at 14:46
XCACLS.VBS is a very powerful script that will change/edit ACL info. c:\windows\system32\cscript.exe xcacls.vbs help returns all switches and options.
You can get official distribution from Microsoft Support Page
-
3Can you provide a reference where
XCACLS.VBS
can be found? Commented Sep 20, 2012 at 17:08 -
-
The xcacls.vbs script does not run on Windows 7 or later. Presumably because it depends on cacls.exe which is no longer supported, having been superceded by icacls.– Ed999Commented Nov 13, 2023 at 3:45
Bulk folder creation and grant permission works me by using the below powershell script.
Import-Csv "D:\Scripts\foldernames.csv" | foreach-object {
$username = $_.foldername
# foldername is the header of csv file
$domain = “example.com”
$folder= "D:\Users"
$domainusername = $domain+“\”+$username
New-Item $folder\$username –Type Directory
Get-Acl $folder\$username
$acl = Get-Acl $folder\$username
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Admins","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainusername,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $folder\$username $acl
}
Note: You have to create same domain username in csv file otherwise you will get permission issues
i was not able to open any file in a drive, this command unlocked all -
icacls i:\* /grant Users:F /t /q /c
-
Before issuing this command, you probably need to take over the ownership first using:
takeown /R /F "i:\*"
, then unlock with the above command, and then you can delete the directory using Windows Explorer. Don't forget also run the command as Administrator using command prompt.– AryoCommented May 2, 2023 at 6:02
attrib +r +a +s +h <folder name> <file name> to hide
attrib -r -a -s -h <folder name> <file name> to unhide
-
3Those are attributes of the file (read-only, archive, system, hidden) not permissions, which are linked to user accounts. Commented Jun 4, 2013 at 16:06
excellent point Călin Darie
I had a lot of scripts to use cacls I move them to icacls how ever I could not find a script to change the root mount volumes example: d:\datafolder. I finally crated the script below, which mounts the volume as a temporary drive then applies sec. then unmounts it. It is the only way I found that you can update the root mount security.
1 gets the folder mount GUID to a temp file then reads the GUID to mount the volume as a temp drive X: applies sec and logs the changes then unmounts the Volume only from the X: drive so the mounted folder is not altered or interrupted other then the applied sec.
here is sample of my script:
**mountvol "d:\%1" /L >tempDrive.temp && FOR /f "tokens=*" %%I IN (tempDrive.temp) DO mountvol X: %%I
D:\tools\security\icacls.exe %~2 /grant domain\group:(OI)(CI)F /T /C >>%~1LUNsec-%TDWEEK%-%TMONTH%-%TDAY%-%TYEAR%-%THOUR%-%TMINUTE%-%TAM%.txt
if exist x:\*.* mountvol X: /d**
I am Administrator and some script placed "Deny" permission on my name on all files and subfolders in a directory. Executing the icacls "D:\test" /grant John:(OI)(CI)F /T
command did not work, because it seemed it did not remove the "Deny" right from my name from this list.
The only thing that worked for me is resetting all permissions with the icacls "D:\test" /reset /T
command.
-
1It is possible to overcome the problem without using the reset command, by specifying ''/remove:d'' to delete any explicit DENY settings that may exist - see my perfect solution (above).– Ed999Commented Mar 19, 2018 at 9:02
- navigate to top level directory you want to set permissions to with explorer
- type cmd in the address bar of your explorer window
- enter
icacls . /grant John:(OI)(CI)F /T
where John is the username - profit
Just adding this because it seemed supremely easy this way and others may profit - all credit goes to Călin Darie
.
When I ran the command:
icacls "c:/path/to/folderA/folderB" /grant:r Everyone:(OI)(CI)F /T
None of the files in folderB
were being processed, which was indicated via the output message:
Successfully processed 0 files; Failed processing 0 files
However, once I changed the specified path to the parent directory("c:/path/to/folderA"
) and re-ran the command all the files in folderB
were successfully processed.
Note: If you want any other files/folders in folderA
to not be processed, try moving all those files/folders to a different location before running the command above.
Hope this helps anyone running into the same issue.
For anyone needing to grant permissions to multiple drives, I created the following script:
@ECHO off
ECHO Run this with admin privileges
:: Change following variable to desired user or group
set UserOrGrp=Users
for %%d in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
if EXIST %%d:\ (
ECHO Taking ownership of drive %%d:\
takeown /R /F %%d:\ /D Y /SKIPSL
ECHO Granting full control to %UserOrGrp%
icacls %%d:\* /Q /C /T /grant %UserOrGrp%:F
)
)
in windows 10 working without "c:>" and ">"
For example:
F = Full Control
/e : Edit permission and kept old permission
/p : Set new permission
cacls "file or folder path" /e /p UserName:F
(also this fixes error 2502 and 2503)
cacls "C:\Windows\Temp" /e /p UserName:F
This is what worked for me:
Manually open the folder for which the access is denied.
Select the Executable/application file in that folder.
Right-click on it and go to Properties -> Compatibility
Now see the Privilege Level and check it for Run As Administrator
Click on Change Settings for all users.
The problem is solved now.
-
The question is for doing the above trough the command line. While your suggestion might work well, it is not applicable if you only have terminal access (ssh) to a sever which needs to be set up, thus you will need to use a cmd script Commented Dec 22, 2014 at 13:21