ICACLS Command Guide - Manage NTFS Permissions and Access Control Lists

The icacls command (Integrity Control Access Control List) is a Windows utility that displays and modifies NTFS permissions on files and folders, managing Access Control Lists (ACLs) that determine which users and groups can read, write, modify, or delete resources. Use /grant to add permissions, /deny to explicitly block access, /remove to revoke permissions, and /T for recursive operations across directory trees.

Whether you're fixing broken permissions after malware cleanup, securing sensitive data with granular access controls, migrating file server permissions during organizational changes, or troubleshooting "Access denied" errors, icacls provides command-line control over NTFS security that surpasses Windows Explorer's GUI limitations. System administrators rely on icacls for bulk permission management, automated security hardening, and precise access control across enterprise environments.

This comprehensive guide covers icacls syntax, all permission types (Full Control, Modify, Read, Write, Execute), practical examples for common permission scenarios, inheritance management, integration with takeown for complete access control, troubleshooting tips, and frequently asked questions. By the end, you'll confidently manage NTFS permissions, understand Windows security models, and resolve complex access control issues.

What Is the ICACLS Command?

ICACLS (Integrity Control Access Control List) is the modern Windows command-line utility for managing NTFS permissions and Access Control Lists (ACLs). Introduced in Windows Vista and Windows Server 2008, icacls replaced the deprecated cacls utility with enhanced functionality, better syntax, and support for Windows integrity levels and mandatory labels.

NTFS permissions control access to files and folders through discretionary access control lists (DACLs) that specify which users and groups have what level of access:

Full Control (F) – Complete access including read, write, delete, change permissions, take ownership
Modify (M) – Read, write, delete files, but cannot change permissions or take ownership
Read & Execute (RX) – Read file contents and execute programs
Read (R) – View file contents and properties
Write (W) – Create new files and modify existing content
Special Permissions – Granular control over specific rights (e.g., delete, change permissions, read attributes)

ICACLS operates on:

Files and folders – Set permissions on individual files or entire directory trees
Inheritance – Enable or disable permission inheritance from parent folders
Ownership – Display and modify file ownership (combined with takeown)
Auditing – Configure system access control lists (SACLs) for security auditing
Integrity levels – Manage mandatory integrity controls (low, medium, high, system)

ICACLS is essential for system administration, security hardening, data migration, and troubleshooting permission-related access denied errors. It works exclusively on NTFS volumes (not FAT32 or exFAT).

ICACLS Command Syntax

The basic syntax for the icacls command is:

icacls filename [/grant[:r] user:permission] [/deny user:permission] [/remove[:g|:d] user] [/T] [/C] [/L] [/Q]

Core Operations

Operation	Description
`icacls filename`	Display current ACL (Access Control List) for the specified file or folder
`/grant user:permission`	Add permissions to specified user or group. Preserves existing permissions.
`/grant:r user:permission`	Replace existing permissions with specified permissions for user
`/deny user:permission`	Explicitly deny permissions to user (overrides grant)
`/remove user`	Remove all permissions for specified user from the ACL
`/remove:g user`	Remove all granted permissions for user (leaves denied permissions)
`/remove:d user`	Remove all denied permissions for user (leaves granted permissions)
`/reset`	Replace ACL with default inherited permissions from parent
`/setowner user`	Change ownership of the file or folder
`/findsid SID`	Find all files where specified SID (Security Identifier) has access
`/save aclfile`	Save ACLs for all matching files to aclfile for backup
`/restore aclfile`	Restore ACLs from aclfile saved with /save
`/inheritance:e\|d\|r`	Enable, disable, or remove inherited permissions

Permission Types

Permission	Code	Description
Full Control	`F`	Complete access: read, write, delete, change permissions, take ownership
Modify	`M`	Read, write, delete; cannot change permissions or take ownership
Read & Execute	`RX`	Read file contents and run executables
Read	`R`	View file contents and properties only
Write	`W`	Create new files and modify existing content
Delete	`D`	Delete files and folders

Special Permission Codes

Code	Permission	Description
`DE`	Delete	Delete the file or folder
`RC`	Read Control	Read security information (permissions)
`WDAC`	Write DAC	Change permissions
`WO`	Write Owner	Take ownership
`S`	Synchronize	Synchronize file access
`AS`	Access System Security	Access system ACL (auditing)
`MA`	Maximum Allowed	Use maximum permissions allowed
`GR`	Generic Read	Generic read access
`GW`	Generic Write	Generic write access
`GE`	Generic Execute	Generic execute access
`GA`	Generic All	Generic all access (Full Control)

Common Parameters

Parameter	Description
`/T`	Perform operation recursively on all subdirectories and files
`/C`	Continue on errors (don't stop on access denied)
`/L`	Perform operation on symbolic link itself, not target
`/Q`	Quiet mode—suppress success messages
`/save aclfile`	Backup ACLs to file for later restoration
`/restore aclfile`	Restore ACLs from backup file
`/inheritance:e`	Enable inheritance (default)
`/inheritance:d`	Disable inheritance, copy inherited ACEs
`/inheritance:r`	Remove all inherited ACEs

Inheritance and Propagation Flags

Flag	Meaning	Description
`(OI)`	Object Inherit	Files inherit this ACE
`(CI)`	Container Inherit	Folders inherit this ACE
`(IO)`	Inherit Only	ACE doesn't apply to current file, only inherited children
`(NP)`	No Propagate	Don't propagate inheritance beyond immediate children
`(I)`	Inherited	This ACE was inherited from parent folder

Practical ICACLS Command Examples

Display Current Permissions

View the Access Control List for a file or folder:

icacls C:\Data\document.docx

Output shows users/groups and their permissions:

C:\Data\document.docx BUILTIN\Administrators:(F)
                      NT AUTHORITY\SYSTEM:(F)
                      DESKTOP-PC\User:(M)

(F) = Full Control
(M) = Modify
(I) = Inherited permission

This diagnostic output identifies who has access and at what level—essential for troubleshooting access denied errors.

Grant Full Control to a User

Add Full Control permissions for a specific user:

icacls C:\Data\folder /grant User:(F)

Replace User with the actual username. For domain accounts: icacls C:\Data\folder /grant DOMAIN\User:(F)

This adds permissions without removing existing ACEs (Access Control Entries). Existing permissions for other users remain intact.

Grant Permissions Recursively

Apply permissions to a folder and all contents:

icacls C:\Data /grant User:(F) /T

The /T parameter processes all subdirectories and files. Essential for applying permissions to entire directory trees after data migration or organizational changes.

Enterprise use case: Grant HR department full access to personnel files: icacls C:\HR_Files /grant "HR Department":(F) /T

Replace Existing Permissions

Replace a user's existing permissions instead of adding to them:

icacls C:\Data\file.txt /grant:r User:(R)

The :r modifier replaces all existing permissions for that user with Read-only. Without :r, new permissions are added to existing ones.

Downgrade scenario: User previously had Full Control but now should have Read-only: /grant:r ensures old permissions are removed.

Deny Permissions

Explicitly deny access to a user or group:

icacls C:\Sensitive /deny User:(F) /T

Critical: Deny always overrides grant. If a user has both grant and deny, deny wins. Use deny sparingly—removing grant is usually better than adding deny.

Use case: Block specific users from accessing confidential folders even if they're in groups that have access.

Remove User Permissions

Remove all permissions (both grant and deny) for a user:

icacls C:\Data\file.txt /remove User

This completely removes the user from the ACL. The user will have no explicit permissions—access is then determined by group memberships or inheritance.

Cleanup scenario: Remove permissions for ex-employees: icacls C:\Projects /remove DOMAIN\FormerEmployee /T

Remove Only Granted or Denied Permissions

Remove granted permissions but keep denied:

icacls C:\Data /remove:g User /T

Remove denied permissions but keep granted:

icacls C:\Data /remove:d User /T

Useful when fixing overly restrictive deny rules without affecting legitimate grant permissions.

Reset Permissions to Defaults

Replace current permissions with default inherited permissions from parent:

icacls C:\Data\folder /reset /T

This removes all explicit permissions and re-inherits from parent folder. Caution: This can break access if parent folder has restrictive permissions.

Use case: Restore default permissions after malware modifies ACLs or after incorrect permission changes.

Grant Multiple Users Different Permissions

Apply different permission levels to multiple users in one command:

icacls C:\SharedFolder /grant Admin:(F) User1:(M) User2:(R) /T

This grants Full Control to Admin, Modify to User1, and Read to User2, all recursively.

Backup and Restore Permissions

Save permissions to a backup file before making changes:

icacls C:\Data /save C:\Backup\permissions.acl /T

Restore permissions from backup if changes cause issues:

icacls C:\Data /restore C:\Backup\permissions.acl /T

Best practice: Always backup ACLs before bulk permission changes in production environments. Essential for rollback capability.

Change File Ownership

Transfer ownership of a file to a different user:

icacls C:\Data\file.txt /setowner Administrators

Note: Taking ownership from another user requires administrator privileges or the "Take Ownership" user right. Often paired with takeown command for initial ownership transfer.

Grant Permissions with Inheritance Control

Grant permissions that apply to current folder, subfolders, and files:

icacls C:\Data /grant User:(OI)(CI)F /T

(OI) = Object Inherit (files inherit)
(CI) = Container Inherit (folders inherit)
F = Full Control

Without (OI)(CI), permissions apply only to the specified folder, not inherited children.

Disable Permission Inheritance

Disable inheritance and copy existing inherited permissions as explicit:

icacls C:\Data\folder /inheritance:d

Existing inherited permissions become explicit (editable) permissions. Use this to break inheritance when a subfolder requires different permissions than its parent.

Remove All Inherited Permissions

Disable inheritance and remove all inherited permissions:

icacls C:\Data\folder /inheritance:r

Critical: This leaves only explicit permissions. If no explicit permissions exist, nobody (including administrators) can access the folder. Always add explicit permissions before using /inheritance:r.

Recovery: Boot into Safe Mode or use takeown to regain access if accidentally locked out.

Common Use Cases for the ICACLS Command

Fix "Access Denied" errors – Grant appropriate permissions when users report they cannot open, modify, or delete files. Diagnose with icacls filename to identify missing permissions, then add with /grant.
Secure sensitive data – Restrict access to confidential folders (HR records, financial data, customer information) by removing default permissions and granting access only to authorized users or groups.
Bulk permission changes during reorganization – Apply new permission structures across thousands of files when departments merge, employees change roles, or security policies are updated. Use /T for recursive operations.
Data migration permission preservation – Backup permissions with /save before migrating data between servers or domains, then restore with /restore to maintain original access controls.
Malware cleanup and security restoration – Reset permissions after malware modifies ACLs to hide files or block access. Use /reset /T to restore inherited permissions from parent folders.
Remove permissions for deleted users – Clean up ACLs after employee departures by removing orphaned SIDs (Security Identifiers) that appear as long strings instead of usernames: /remove:g S-1-5-21-xxx.
Shared folder permission management – Configure granular access controls on file server shares, granting read-only to general staff, modify to team leads, and full control to administrators.
Automated security hardening scripts – Incorporate icacls in PowerShell or batch scripts for automated permission audits, compliance checks, and remediation of non-compliant permissions.
Inheritance troubleshooting – Diagnose why subfolders don't inherit parent permissions using icacls folder to check for (I) flags. Break or restore inheritance with /inheritance parameters.
Forensic investigation and e-discovery – Document current permissions with /save before legal or security investigations. Restore original permissions after analysis to maintain evidence integrity.
Service account permission isolation – Grant specific permissions to service accounts (SQL Server, IIS, backup services) without over-privileging them. Use /grant:r to ensure they have only required permissions.
Compliance and audit readiness – Export permissions to text files for audit documentation: icacls C:\Data /T > permissions_audit.txt. Demonstrate least-privilege access for SOC 2, HIPAA, or ISO 27001 compliance.

Tips and Best Practices

Always backup permissions before bulk changes – Use /save to backup ACLs before running /grant, /remove, or /reset operations. Provides rollback capability if changes cause access issues.
Test on non-production data first – Incorrect permission changes can lock out users or expose sensitive data. Test icacls commands on test folders before applying to production environments.
Use /C to continue on errors – In recursive operations, /C continues despite access denied errors on protected files. Without /C, the command stops at the first error, leaving operations incomplete.
Quote paths and usernames with spaces – Enclose paths and usernames containing spaces in double quotes: icacls "C:\My Documents" /grant "Domain Users":(R).
Understand deny vs. remove grant – Deny explicitly blocks access even if user is in groups with access. Removing grant simply revokes explicit permission—user may still access via group membership or inheritance. Prefer removing grant over adding deny.
Document inheritance flags for folder permissions – Use (OI)(CI) when granting folder permissions to ensure files and subfolders inherit: /grant User:(OI)(CI)F. Without these flags, only the folder itself gets permissions.
Run as Administrator for full functionality – Icacls requires elevated privileges for most operations, especially modifying permissions on system files or folders owned by other users.
Use /Q in scripts to suppress output – Quiet mode reduces log verbosity in automated scripts. For auditing, omit /Q to capture detailed output for troubleshooting.
Combine with takeown for complete access – If icacls fails with "Access denied," take ownership first with takeown /F path /A /R /D Y, then use icacls to set permissions.
Verify permissions after changes – Always run icacls filename after modification commands to confirm permissions were applied correctly. Check for unexpected inherited or denied permissions.
Use specific permission codes for least privilege – Don't default to Full Control (F). Use Read (R), Modify (M), or Read & Execute (RX) based on actual requirements to minimize security risk.
Monitor for orphaned SIDs after account deletion – When user accounts are deleted, ACLs show SIDs (e.g., S-1-5-21-xxx) instead of names. Use /remove S-1-5-21-xxx /T to clean up orphaned permissions.

Troubleshooting Common Issues

"Access is Denied" When Running ICACLS

Problem: ICACLS fails with "Access is denied" error when attempting to modify permissions.

Cause: Insufficient privileges, file owned by another user, or file protected by Windows Resource Protection (WRP).

Solution:

Run Command Prompt as Administrator (right-click, "Run as administrator")
Take ownership first with takeown /F filename /A before running icacls
For system files, boot into Safe Mode to bypass WRP protection
Check if file is in use—close applications or use handle.exe to identify locks

Prevention: Always run elevated Command Prompt when managing permissions on files outside your profile folder.

Permissions Don't Propagate to Subfolders

Problem: Using /T but subfolders don't inherit new permissions.

Cause: Missing inheritance flags (OI) and (CI) in grant command, or inheritance is disabled on child folders.

Solution:

icacls C:\Data /grant User:(OI)(CI)F /T

Add (OI)(CI) to enable Object Inherit and Container Inherit. Check child folders: if they show /inheritance:d, re-enable with:

icacls C:\Data\subfolder /inheritance:e

Prevention: Always use (OI)(CI) when granting permissions on folders intended to propagate to children.

"The Parameter is Incorrect" Error

Problem: ICACLS returns "The parameter is incorrect" error.

Cause: Incorrect syntax, missing colon between user and permission, unquoted paths/usernames with spaces, or invalid permission codes.

Solution:

Verify syntax: /grant User:(F) not /grant User:F (no parentheses is also valid but less clear)
Enclose in quotes: /grant "Domain Users":(R)
Check permission code spelling: F, M, RX, R, W, D (case-insensitive but conventional)
Verify username exists: net user or whoami to confirm spelling

Prevention: Use Tab completion for paths and verify username with net user before constructing icacls commands.

Cannot Remove Inherited Permissions

Problem: /remove doesn't remove permissions that show (I) inherited flag.

Cause: Inherited permissions cannot be removed directly—they must be removed at the source (parent folder) or inheritance must be disabled.

Solution: Disable inheritance and convert inherited permissions to explicit:

icacls C:\Data\folder /inheritance:d

Then remove the explicit permission:

icacls C:\Data\folder /remove User

Alternative: Change permission at parent folder and let inheritance propagate: icacls C:\Data /remove User /T

Prevention: Understand (I) flag indicates inherited permissions controlled by parent folder, not the current file.

Accidentally Locked Out of Folder

Problem: After using /inheritance:r, nobody can access the folder, including administrators.

Cause: /inheritance:r removed all inherited permissions without adding explicit permissions, leaving the folder inaccessible.

Solution: Boot into Safe Mode or use recovery environment, then:

takeown /F C:\LockedFolder /A /R /D Y
icacls C:\LockedFolder /grant Administrators:(F) /T

This takes ownership and grants full control to Administrators group.

Prevention: Never use /inheritance:r without immediately adding explicit permissions: icacls folder /inheritance:r /grant Administrators:(OI)(CI)F

Changes Not Visible in Windows Explorer

Problem: ICACLS reports success, but permissions don't appear changed in File Explorer.

Cause: Windows Explorer caches security information. Inherited permissions may be hiding explicit changes.

Solution:

Refresh Windows Explorer with F5
Close and reopen Properties → Security tab
Verify with icacls filename in Command Prompt to confirm actual ACL state
Check Advanced → Effective Access to see combined permissions from all sources

Prevention: Trust icacls output over Explorer GUI—icacls shows the actual ACL state without caching.

"The System Cannot Find the File Specified"

Problem: ICACLS fails with "system cannot find the file specified" error.

Cause: Incorrect path, typo in filename, or file on non-NTFS volume (FAT32, exFAT).

Solution:

Verify path exists: dir "C:\Path" to confirm
Check file system: fsutil fsinfo volumeinfo C: (must be NTFS)
Use Tab completion to auto-complete paths and avoid typos
For network paths, ensure share is accessible: net use to check mapped drives

Prevention: Copy paths from File Explorer or use Tab completion in Command Prompt.

Related Commands

takeown – Take Ownership of Files

takeown transfers file ownership to the current user or Administrators group. Ownership grants the right to modify permissions even when current permissions deny access.

Takeown + icacls workflow:

takeown /F path /A /R /D Y – Take ownership
icacls path /grant Administrators:(F) /T – Grant full control
Access or modify files as needed

When to use takeown: Before icacls if "Access denied" errors occur due to ownership by another user or deleted account.

attrib – File Attributes

attrib manages file attributes (read-only, hidden, system, archive). Sometimes files resist permission changes due to attributes, not just ACLs.

Combined workflow:

attrib -r -h -s C:\File.txt
takeown /F C:\File.txt /A
icacls C:\File.txt /grant Administrators:(F)

Advantage: Clearing read-only and system attributes before permission changes prevents unexpected errors.

cacls – Legacy Permissions Tool

cacls is the deprecated predecessor to icacls, still available for backward compatibility. Limited functionality compared to icacls—no inheritance control, no save/restore, no integrity level support.

Migration: Replace cacls commands in old scripts with icacls equivalents for continued support and enhanced features.

PowerShell Get-Acl and Set-Acl

PowerShell ACL cmdlets provide object-oriented permission management with rich filtering and pipeline integration.

Example—grant permissions with PowerShell:

$acl = Get-Acl C:\Data
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("User","Modify","Allow")
$acl.SetAccessRule($rule)
Set-Acl C:\Data $acl

Advantage: PowerShell offers conditional logic, error handling, and integration with Active Directory for complex automation. Use icacls for quick command-line fixes; use PowerShell for enterprise-scale automation.

SubInACL – Advanced Permissions Tool

SubInACL (separate Microsoft download) provides advanced permission management for files, registry, and services with complex filtering and migration capabilities.

When to use SubInACL: Migrating permissions between domains, bulk SID translation, or conditional permission updates based on ownership or existing ACLs. More powerful than icacls for enterprise migrations.

net share – Share-Level Permissions

net share manages network share permissions (separate from NTFS permissions). Both share and NTFS permissions apply to network access—most restrictive wins.

Example: net share SharedFolder=C:\Data /GRANT:Everyone,READ

Integration: Configure share permissions with net share, then use icacls for NTFS permissions on the underlying files.

robocopy /SEC – Copy with Security

robocopy (Robust File Copy) preserves NTFS permissions, ownership, and auditing during file copies. Use /SEC to copy security attributes or /COPYALL for comprehensive preservation.

Example: robocopy C:\Source D:\Backup /MIR /SEC /COPYALL

Integration: Use icacls to verify permissions after robocopy operations or modify permissions on copied files.

Frequently Asked Questions

What does the icacls command do?

The icacls command displays and modifies NTFS file and folder permissions (Access Control Lists) in Windows. It grants, denies, or removes read, write, modify, and full control permissions for users and groups. Icacls replaces the deprecated cacls utility and provides command-line control over Windows security, essential for bulk permission changes, troubleshooting access denied errors, and automated security management.

How do I grant full control with icacls?

Use icacls filename /grant User:(F) to grant Full Control permissions to a user. For domain accounts: icacls filename /grant DOMAIN\User:(F). Add /T for recursive operations: icacls C:\Folder /grant User:(F) /T. This applies Full Control to the folder and all contents. Replace User with the actual username or group name.

What is the difference between icacls and takeown?

Takeown changes file ownership (who owns the file), while icacls manages permissions (who can read, write, or delete the file). Ownership grants the right to change permissions but doesn't automatically grant access. Workflow: Use takeown first if "Access denied" due to ownership, then use icacls to grant permissions for actual file access.

How do I remove all permissions with icacls?

Use icacls filename /remove User to remove all permissions (grant and deny) for a user. To remove only granted permissions: /remove:g User. To remove only denied permissions: /remove:d User. For recursive removal: icacls C:\Folder /remove User /T. This completely removes the user from the ACL.

How do I backup and restore permissions with icacls?

Backup: icacls C:\Folder /save C:\Backup\perms.acl /T. This saves all ACLs for the folder and contents to a file. Restore: icacls C:\Folder /restore C:\Backup\perms.acl. Always backup permissions before bulk changes in production to enable rollback if changes cause access issues.

What do (OI) and (CI) mean in icacls output?

(OI) means Object Inherit—files inherit this permission. (CI) means Container Inherit—subfolders inherit this permission. (I) means Inherited—the permission was inherited from a parent folder, not explicitly set. Use (OI)(CI) when granting folder permissions to ensure inheritance: icacls folder /grant User:(OI)(CI)F.

How do I reset NTFS permissions to defaults?

Use icacls filename /reset /T to replace current permissions with default inherited permissions from the parent folder. This removes all explicit permissions and re-enables inheritance. Caution: This can break access if parent folder has restrictive permissions. Always backup with /save before using /reset.

Can icacls work on network drives?

Yes, icacls works on UNC network paths (\\server\share\file) and mapped network drives, provided you have appropriate NTFS permissions on the remote system. Network operations modify NTFS permissions, not share-level permissions (use net share for share permissions). Administrator credentials may be required for remote permission changes.

What does "Access denied" mean with icacls?

"Access denied" occurs when you lack permissions to modify the ACL, don't own the file, or haven't elevated to administrator. Solutions: Run Command Prompt as Administrator, use takeown /F filename /A to take ownership first, verify you have WRITE_DAC permission, or boot into Safe Mode for system files protected by Windows Resource Protection.

How do I deny permissions with icacls?

Use icacls filename /deny User:(F) to explicitly deny Full Control. Deny always overrides grant—if a user has both, deny wins. Use sparingly because deny is powerful and can cause unexpected access blocks. Better practice: Remove grant with /remove instead of adding deny, unless explicit blocking is required.

What is the /T parameter in icacls?

/T performs the operation recursively on all subdirectories and files within the specified folder. Example: icacls C:\Data /grant User:(F) /T grants Full Control to User on the Data folder and all contents. Essential for bulk permission changes across directory trees. Combine with /C to continue on errors: /T /C.

Why do permissions not propagate to subfolders?

Missing (OI)(CI) inheritance flags or disabled inheritance on child folders prevents propagation. Solution: Use icacls folder /grant User:(OI)(CI)F /T to enable inheritance. If child folders have /inheritance:d, re-enable with icacls subfolder /inheritance:e to allow propagation from parent.

Quick Reference Card

Command	Purpose	Example Use Case
`icacls file`	Display permissions	Diagnose access denied errors
`icacls file /grant User:(F)`	Grant Full Control	Provide complete access
`icacls folder /grant User:(F) /T`	Grant recursively	Apply to folder and contents
`icacls file /grant:r User:(R)`	Replace with Read-only	Downgrade permissions
`icacls file /deny User:(F)`	Deny access	Block specific users
`icacls file /remove User`	Remove all permissions	Clean up deleted user ACLs
`icacls folder /reset /T`	Reset to defaults	Fix broken permissions
`icacls folder /save backup.acl /T`	Backup permissions	Enable rollback
`icacls folder /restore backup.acl`	Restore permissions	Undo permission changes
`icacls folder /inheritance:d`	Disable inheritance	Break permission inheritance

Try the ICACLS Command in Our Simulator

Practice the icacls command safely in our Windows Command Simulator. Run icacls file.txt, test /grant and /remove operations, and learn NTFS permission management in your browser without affecting your actual system. Perfect for training, understanding Windows security, or demonstrating permission workflows.

Visit the Commands Reference for a full list of supported Windows CMD commands, including file management, security, and system administration utilities.

Summary

The icacls command is essential for managing NTFS file and folder permissions through Access Control Lists (ACLs). Use /grant to add permissions, /deny to block access, /remove to revoke permissions, and /reset to restore defaults. Apply /T for recursive operations across directory trees and /C to continue on errors during bulk operations.

Understand permission types: Full Control (F), Modify (M), Read & Execute (RX), Read (R), and Write (W). Use inheritance flags (OI)(CI) when granting folder permissions to ensure subfolders and files inherit properly. Always backup permissions with /save before bulk changes in production environments.

Combine icacls with takeown for complete access control: takeown establishes ownership, icacls sets permissions. Master icacls for troubleshooting access denied errors, securing sensitive data, bulk permission management during organizational changes, and automated security hardening across enterprise infrastructure.

For advanced automation, consider PowerShell's ACL cmdlets which offer richer functionality and better error handling. Icacls remains the fastest tool for quick command-line permission fixes, scripted permission audits, and integration with existing batch file workflows in Windows environments.