Home / server / Questions / 578129
Accepted
Mark Allison
Asked: 2014-02-26 03:04:51 +0800 CST

How to replace permissions and everything inside with icacls on Windows Server 2012?

  • 772

Using Windows Server 2012 R2 AND Windows Server 2008 R2.

I have a folder called C:\temp\test and I want to grant access to SYSTEM and a user and all files and subdirectories, and remove everthing else. I've tried this command but all the existing permissions remain:

Existing permissions are:

Access : NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  AppendData
         BUILTIN\Users Allow  CreateFiles
         CREATOR OWNER Allow  268435456

I want to remove all ACLs except SYSTEM, and add <DOMAIN>\<USER>

I tried this command:

icacls c:\temp\test /grant:r <DOMAIN>\<USER>:(OI)(CI)F /t

processed file: c:\temp\test
Successfully processed 1 files; Failed processing 0 files

When I look at the permissions afterwards, the <DOMAIN>\<USER> has the correct permissions but all the others remain. I thought /grant:r replaced all the permissions? Do you know what command I need to run to remove all the other permissions?

windows-server-2008-r2

2 Answers

  1. Best Answer

    As mentionned is comments, you also have to use the /inheritance:r switch to remove inherited permissions.

    /grant:r only removes explicit permissions.

    icacls c:\temp\test /inheritance:r /grant:r <DOMAIN>\<USER>:(OI)(CI)F /T

    To also grant SYSTEM :

    icacls c:\temp\test /inheritance:r /grant:r <DOMAIN>\<USER>:(OI)(CI)F /grant:r SYSTEM:(OI)(CI)F /T
    • 18

  2. The parameter /grant:r didn't work for me. I had to use /reset to revert permissions to inherintance only and then remove the inherited permissions. Don't forget to change subdirectories with /t flag.

    • 9