What does this mean:

C:\foo\> icacls .

I think the first one means that userid gets Modify permissions on the directory - which means that user can create files, or update files, or delete files. Right? What is the "NT AUTHORITY\IUSR" user? Is that really a single user ID? Is it the default IIS user ID?

ok, the second line I think refers to a group. It gets the same permissions.

What about all those lines with (I) and (OI) and so on. Please explain.

From the Microsoft Article on ICACLS

The entries are users and groups specific to that file (DOMAIN\USER or GROUP), the permissions listed are as follows:

SIDs may be in either numerical or friendly name form. If you use a numerical form, affix the wildcard character * to the beginning of the SID.

icacls preserves the canonical order of ACE (Access Control Entries) entries as:

  • Explicit denials
  • Explicit grants
  • Inherited denials
  • Inherited grants

Perm is a permission mask that can be specified in one of the following forms:

  1. A sequence of simple rights:
  • F (full access)
  • M (modify access)
  • RX (read and execute access)
  • R (read-only access)
  • W (write-only access)
  1. A comma-separated list in parenthesis of specific rights:
  • D (delete)
  • RC (read control)
  • WDAC (write DAC)
  • WO (write owner)
  • S (synchronize)
  • AS (access system security)
  • MA (maximum allowed)
  • GR (generic read)
  • GW (generic write)
  • GE (generic execute)
  • GA (generic all)
  • RD (read data/list directory)
  • WD (write data/add file)
  • AD (append data/add subdirectory)
  • REA (read extended attributes)
  • WEA (write extended attributes)
  • X (execute/traverse)
  • DC (delete child)
  • RA (read attributes)
  • WA (write attributes)

Inheritance rights may precede either Perm form, and they are applied only to directories:

  • (OI): object inherit
  • (CI): container inherit
  • (IO): inherit only
  • (NP): do not propagate inherit
  • (I): permission inherited from parent container

For files, the permission masks are more or less self-explanatory: R means you can read the file, X allows it to be executed (as a program), and so on.

For other kinds of objects, you will have to browse MSDN:

Inheritance rights in English:

  • (I) "Inherited": This ACE was inherited from the parent container.
  • (OI) "Object inherit": This ACE will be inherited by objects placed in this container.
  • (CI) "Container inherit": This ACE will be inherited by subcontainers placed in this container.
  • (IO) "Inherit only": This ACE will be inherited (see OI and CI), but does not apply to this object itself.
  • (NP) "Do not propagate": This ACE will be inherited by objects and subcontainers one level deep – it will not apply to things inside subcontainers.

For the file system, "container" means a folder and "object" means a file, but remember that ACLs can be set on many other kinds of objects, not all of which have a concept of "containers".

    thank you. I am google-literate and I can read. But I would like an english explanation of just what it means to have (I)RX. "container inherit" - explain what that means and be specific to the example I provided.
    – Cheeso
    Commented Aug 12, 2011 at 18:35
    In that case, you'll need a crash course in NTFS permissions.
    – surfasb
    Commented Aug 12, 2011 at 18:59
    If you are google literate, then you can google "ntfs permissions", "ACL" and "File and registry permission." Frankly, to explain every line in laymans terms is essentially re-writing a whole Technet article for you.
    – surfasb
    Commented Aug 12, 2011 at 19:02
    One year later... Yes. Much better thank you. As to the others who say: "Go read it", that's what Superuser is for, isn't it? To answer questions that are not clearly answered elsewhere.
    – Cheeso
    Commented Aug 28, 2012 at 1:04
    I actually found (I) mentioned in icacls /? on Windows 7. It also had two separate "Delete" rights - (D) was formerly featured in the first list, with (DE) instead in the second list. See ss64.com/nt/icacls.html. It looks like things have changed slightly since then.
    – mwfearnley
    Commented Jul 11, 2017 at 8:04

