Your best source of information and news about microsoft, hardware and vista on the internet

Vista ARTICLES TOP 50 Spyware Virus Vista SOFT Vista HELP

ICACLS.EXE : ACL command line management


Ever wanted to backup your ACLs for every file in a folder? With Windows Vista, and Microsoft Windows Server 2003 SP2 a new tool has been released called ICACLS.


To backup the ACLs of every file in a directory type:


icacls * /save aclfile.txt


This command saves the ACLs of all the files in the directory to a file called aclfile.txt. You can add “/T” to include all the subfolders.


You can later restore that file using the /restore aclfiles.txt.


This is great when an application or administrator makes changes to the ACLs and then forgets what they changed when it causes a problem.


You can also modify the ACE of a file this is the “Access Control Entry” it controls how different processes can access files. You do this by changing the Integrity Level of a file to Low Medium or High. The Integrity Level or IL indicates if a process may access a particular file. When a process launches it is given an IL typically the same IL as its parent process.


You can see the Integrity Level of your processes using a tool like processexplorer



This is useful if you have sensitive files that you don’t low permission processes accessing. For example IE runs with a low integrity level automatically so it can’t access files on the system that have a medium or high IL.


To change the IL on a file type:


icacls filename.ext /setintegritylevel L


This will set the Integrity Level to Low. M or H will set it to medium or high respectively.


Finally another great feature in ICACLS is the ability to set permissions to a large number of folders and subfolders without using inheritance. This is great because in our never perfect worlds we often get requests to give permissions to a large directory tree, like a departmental share drive. This often contains lots of folders with lots of specific permissions. Often your first reaction is to add the user into the ACL and force inheritance on all other folders. This can cause major issues if sub folders had inheritance disabled to provide specific permissions for a user. User ICACL we can avoid this issue.


To propagate a new permission to a large number of files and subfolders use:


icacls * /grant accountName:(NP)(RX) /T


The * is the file filter, The accountName is the account name you wish to apply to the files and folders. NP is the parameter used to specify that ICACLS should not set the inherit parent permission to on. RX stands for Read and Execute. (To get a full list of these parameters type in ICACLS/?) and /T instructs ICACLS to apply this to all folders and subdirectories. Below is a sample output for that operation:



These are some of the neat things. With ICACLS we can now script ACL changes, and get a better granular control over permissions.

Popularity: 1%


Written by daniel.nerenberg. Read more great feeds at is source WEBSITE
no comments.
Read more articles on Windows Client and windows server.

Related articles

No comments

There are still no comments on this article.

Leave your comment...

If you want to leave your comment on this article, simply fill out the next form:




You can use these XHTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong> .