icacls command, display, modify, backup or restore the ACL of files and directories
icacls /? ---View the explanation of ICACLS in the official help document
icacls <FileName> [/grant[:r] <Sid>:<Perm>[...]] [/deny <Sid>:<Perm>[...]] [/remove[:g|:d]] <Sid>[...]] [/t] [/c] [/l] [/q] [/setintegritylevel <Level>:<Policy>[...]]
icacls <Directory> [/substitute <SidOld> <SidNew> [...]] [/restore <ACLfile> [/c] [/l] [/q]]
parameter
| parameter | Description | |
|---|---|---|
| <FileName> |
Specify the file for which Dacl is to be displayed. |
|
| <Directory> |
Specify the directory for which Dacl is to be displayed. |
|
| /t |
Perform operations on all specified files in the current directory and its subdirectories. |
|
| /c |
Continue the operation regardless of any errors in the file. The error message will still be displayed. |
|
| /l |
Perform the operation of the previous symbolic link instead of its target. |
|
| /q |
Suppress the display of success messages. |
|
| [/save <ACLfile>[] /t[] /c[] /l[/q]] |
Store all matching files in Dacl to ACLfile for later use /restore . |
|
| [/ setowner <Username>[] /t[] /c[] /l[/q]] |
Change to the owner of all files matched by the specified user. |
|
| [/ findSID <Sid>[] /t[] /c[] /l[/q]] |
Find all matching files that contain DACL and explicitly refer to the specified security identifier (SID). |
|
| [/verify [/t] [/c] [/l] [/q]] |
Find all files that have irregularities or have ACLs whose length is inconsistent with the ACE ( Access Control Entry) count. |
|
| [/reset [/t] [/c] [/l] [/q]] |
Replace all matching files that Acl inherits Acl with the default value. |
|
| [/grant [: r] <Sid>: <Perm> [...]] |
Grant access rights to specified users. The permissions replace the previously explicitly granted permissions. Without : r , add to any permissions previously granted by explicit permissions. |
|
| [/deny <Sid>: <Perm> [...]] |
Explicitly deny the specified user's access rights. Explicitly deny the specified permissions of the ACE will be added, and any explicitly granted permissions will be deleted. |
|
| [/remove [:g|:d]] <Sid> [...]][] /t[] /c[] /l[] /q |
Remove all matches of the specified SID from the DACL. : Delete all matches of the permissions granted by the specified sid in g . : Delete all matching items of the specified SID denied permission in d . |
|
| [/ setintegritylevel [(CI)(OI)] <Level>: <Policy> [...]] |
Explicit ACE integrity to all matching files. The level is specified as:
完整性 ACE 的继承选项可能位于之前级别,并且只应用于目录。 |
|
| [/substitute <SidOld><SidNew>[...]] |
现有的 SID (SidOld) 替换为一个新的 SID (SidNew)。 需要direcroty参数。 |
|
| /restore <ACLfile>[/c][/l][/q] |
将存储的 Dacl 从ACLfile应用到指定的目录中的文件。 需要directory参数。 |
|
注意
Sid 可以采用数字格式或友好的名称格式。如果给定数字格式,那么请在 SID 的开头添加一个 *。
/T 指示在以该名称指定的目录下的所有匹配文件/目录上执行此操作。
/C 指示此操作将在所有文件错误上继续进行。仍将显示错误消息。
/L 指示此操作在符号链接本身而不是其目标上执行。
/Q 指示 icacls 应该禁止显示成功消息。
ICACLS 保留 ACE 项的规范顺序:
显式拒绝
显式授予
继承的拒绝
继承的授予
perm 是权限掩码,可以两种格式之一指定:
简单权限序列:
N - 无访问权限
F - 完全访问权限
M - 修改权限
RX - 读取和执行权限
R - 只读权限
W - 只写权限
D - 删除权限
在括号中以逗号分隔的特定权限列表:
DE - 删除
RC - 读取控制
WDAC - 写入 DAC
WO - 写入所有者
S - 同步
AS - 访问系统安全性
MA - 允许的最大值
GR - 一般性读取
GW - 一般性写入
GE - 一般性执行
GA - 全为一般性
RD - 读取数据/列出目录
WD - 写入数据/添加文件
AD - 附加数据/添加子目录
REA - 读取扩展属性
WEA - 写入扩展属性
X - 执行/遍历
DC - 删除子项
RA - 读取属性
WA - 写入属性
继承权限可以优先于每种格式,但只应用于目录:
(OI) - 对象继承
(CI) - 容器继承
(IO) - 仅继承
(NP) - 不传播继承
(I) - 从父容器继承的权限