Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Tools / How to Set, Copy, Export or Restore NTFS Permissions Using iCACLS?

May 13, 2021 ToolsWindows Server 2016Windows Server 2019

How to Set, Copy, Export or Restore NTFS Permissions Using iCACLS?

You can use the built-in iCACLS tool to manage NTFS permissions on Windows. The icacls.exe command line tool allows you to get or change Access Control Lists (ACLs) for files and folders on the NTFS file system. In this article, we’ll look at useful commands for managing NTFS permissions on Windows with iCACLS.

Contents:
  • Using iCACLS to View and Set File and Folder Permissions
  • How to Backup (Export) Folder NTFS Permissions?
  • How to Restore NTFS Permissions with iCacls?
  • Resetting NTFS Permissions to Defaults
  • Copying NTFS Permissions from One Folder to Another

Using iCACLS to View and Set File and Folder Permissions

The current access permissions to any object on an NTFS volume can be displayed as follows:

icacls 'C:\Share\Veteran\'

list current folder permissions using icacls.exe

The command will return a list of users and groups that have been assigned access permissions. Permissions are specified using abbreviations:

  • F – full access
  • M – modify access
  • RX – read and execute access
  • R – read-only access
  • W –write-only access
  • D – delete

Inheritance rights are specified before access permissions (inheritance permissions are applied only to folders):

  • (OI) – object inherit
  • (CI) – container inherit
  • (IO) – inherit only
  • (I) – inheriting permissions from parent container

With icacls you can change folder permissions.

To grant the “resource\mun-fs01_Auditors” group read and execute (RX) permissions on the folder:

icacls 'C:\Share\Veteran\' /grant resource\mun-fs01_Auditors:RX

grant ntfs permissions on a folder via command line

To remove a group from a directory ACL:

icacls 'C:\Share\Veteran\' /remove resource\mun-fs01_Auditors

With icacls you can enable NTFS permissions inheritance from the parent folder:

icacls 'C:\Share\Veteran\' /inheritance:e

icacls set folder inheritance options

Or disable inheritance with removing all inherited ACEs:

icacls 'C:\Share\Veteran\' /inheritance:r

You can use the icacls.exe to change ownership of a file or folder

icacls 'C:\Share\Veteran\' /setowner resource\j.smith /T /C /L /Q

take ownership of a file or folder with icacls.exe

How to Backup (Export) Folder NTFS Permissions?

Before making significant changes to permissions (move, update ACLs, migrate resources) on an NTFS folder (or shared network folder), it is advisable to back up the old permissions. This copy will allow you to return to the original settings, or at least clarify the old permissions for a specific file/directory.

You can use the icacls.exe tool to export/import current NTFS directory permissions. To get all ACLs for a specific folder (including sub-directories and files), and export them to a text file, run the following command:

icacls g:\veteran /save c:\backup\veteran_ntfs_perms.txt /t /c

Note. /t key is used to get ACLs for all subdirectories and files, /c allows to ignore access errors. By adding /q option, you can disable the display of information about successful access to the file system objects.

icacls save ntfs permission on all files in the folder

Depending on the number of files and folders, the export of permissions can take quite a long time. After the command has been executed, the statistics on the number of successful or failed processing of files will be displayed.

Successfully processed 3001 files; Failed processing 0 files

Successfully processed 3001 files; Failed processing 0 files

Open the file veteran_ntfs_perms.txt using any text editor. As you can see, it contains the full list of files and folders in a directory, and each item has the current permissions specified in SDDL (Security Descriptor Definition Language) format.

ntfs file permissions in SDDL format

For example, the current NTFS permissions for the folder root are as follows:

D:PAI(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;S-1-5-21-2340243621-32346796122-2349433313-23777994)(A;OICI;0x1301bf;;;S-1-5-21-2340243621-32346796122-2349433313-23777993)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-2340243621-32346796122-2349433313-24109193)S:AI

This string describes the access for some groups or users. We won’t consider SDDL syntax in detail (the SDDL format was briefly discussed in the article “How to View and Modify Service Permissions in Windows?”). Let’s focus on a small piece of SDDL by selecting just one object:

(A;OICI;FA;;;S-1-5-21-2340243621-32346796122-2349433313-24109193)

A – access type (Allow)

OICI – inheritance flag (OBJECT INHERIT+ CONTAINER INHERIT)

FA – permission type (SDDL_FILE_ALL – all allowed)

S-1-5-21-2340243621-32346796122-2349433313-24109193 – SID of the account or domain group for which the permissions are set. To convert SID to the account or group name, use the following PowerShell command:

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-2340243621-32346796122-2349433313-24109193")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

get username from sid

Or use one of the commands:
Get-ADUser -Identity SID
or
Get-ADGroup -Identity SID

Thus, you have found that the user corp\dvivar had Full Control permissions on this directory.

How to Restore NTFS Permissions with iCacls?

You can restore NTFS permissions on a folder using the previously created veteran_ntfs_perms.txt file. To set NTFS permissions on objects in the directory according to the values in the ACL backup file, run this command:

icacls g:\ /restore c:\backup\veteran_ntfs_perms.txt /t /c

Note. Please, note that when importing permissions from the file, you should specify the path to the parent directory instead of the folder name.

After all permissions have been recovered, the statistics on the number of the processed files will also be displayed.

restore ntfs permissions with icacls

Note that the backup ACL file contains relative, not absolute, file paths. This means that you can restore permissions on a folder even after moving it to a different drive/directory.

Resetting NTFS Permissions to Defaults

You can use the icacls tool to reset the folder permissions (as well as nested files and sub-directories).

icacls C:\share\veteran /reset /T /Q /C

icacls reset folder ntfs permissions

This command will enable inherited NTFS permissions for the specified object, and will remove any other ACLs.

Copying NTFS Permissions from One Folder to Another

You can use a text file with ACLs backup to copy NTFS permissions from one directory to another.

First, back up NTFS permissions of the source folder:

icacls 'C:\Share\Veteran' /save C:\PS\save_ntfs_perms.txt /c

And then apply the saved ACLs to the target folder:

icacls D:\Share /restore C:\PS\save_ntfs_perms.txt /c

This will work if the source and destination folders are named the same. What if the target folder name is different? For example, you need to copy NTFS permissions to D:\PublicDOCS folder.

The easiest way is to open the save_ntfs_perms.txt file in notepad and edit the folder name. Use the Replace function to replace the Veteran name with PublicDOCS.

copy ntfs permissions between folders on Windows using command line tool

Then import NTFS permissions from the file and apply them to the target folder:

icacls D:\ /restore C:\PS\save_ntfs_perms.txt /c

It’s even easier to copy NTFS permissions from one folder to another using PowerShell:

Get-Acl -Path 'C:\Share\Veteran' | Set-Acl -Path 'E:\PublicDOCS'

3 comments
5
Facebook Twitter Google + Pinterest
previous post
How to Reset the HP ILO Administrator Password?
next post
Send-MailMessage: Sending Emails from PowerShell

Related Reading

Checking Windows Activation Status on Active Directory Computers

June 27, 2022

Configuring Multiple VLAN Interfaces on Windows

June 24, 2022

How to Disable or Enable USB Drives in...

June 24, 2022

Adding Domain Users to the Local Administrators Group...

June 23, 2022

Configuring SSH Public Key Authentication on Windows

June 15, 2022

3 comments

KnyghtReaper March 28, 2019 - 9:49 pm

This is very helpful. If I make a duplicate of the g:\veteran onto a new drive, say e:\veteran, and mess up my permissions on the e:\veteran version, is it possible to use the g:\veteran backup to restore on e:\veteran? Do I need to do something to change the ACL file to point to the new location and restore permissions there?

Reply
admin April 3, 2019 - 6:05 am

Yes you can. You need to manually edit the file veteran_ntfs_perms.txt in any text editor find and replace the path g:\ to e:\.

Reply
fedayn August 27, 2019 - 10:27 am

How could I manage the SACL “System access control list” with ICACLS?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • How to Deploy Windows 10 (11) with PXE Network Boot?

    June 27, 2022
  • Checking Windows Activation Status on Active Directory Computers

    June 27, 2022
  • Configuring Multiple VLAN Interfaces on Windows

    June 24, 2022
  • How to Disable or Enable USB Drives in Windows using Group Policy?

    June 24, 2022
  • Adding Domain Users to the Local Administrators Group in Windows

    June 23, 2022
  • Viewing a Remote User’s Desktop Session with Shadow Mode in Windows

    June 23, 2022
  • How to Create a Wi-Fi Hotspot on your Windows PC?

    June 23, 2022
  • Configuring SSH Public Key Authentication on Windows

    June 15, 2022
  • How to Run a Program as a Different User (RunAs) in Windows?

    June 15, 2022
  • FAQ: Licensing Microsoft Exchange Server 2019/2016

    June 14, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Using RDCMan (Remote Desktop Connection Manager) on Windows
  • Using iPerf to Test Network Speed and Bandwidth (Throughput)
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top