Setting permissions to default on Windows 10 cmd line, icacls or similar?
I’m trying to reset permissions for directories. I found icacls /reset, but that sets files to inherit from the «Parent Object» (directories work fine). Is there another tool, or another way to use icacls to set my files to inherit permissions from C:\Users\username, or D:\, or wherever the default is for new files in a location?
2 Answers 2
Besides Property -> Security of a folder/file, another way to do this is using Get-Acl and Set-Acl using PowerShell. Follow this guide: https://blogs.msdn.microsoft.com/johan/2008/10/01/powershell-editing-permissions-on-a-file-or-folder/
An easy way to see the Read/Write permissions on your files, I recommend this tool: https://docs.microsoft.com/en-us/sysinternals/downloads/accessenum
on a stand-alone instance of Windows [10] there are usually four groups:
each file and each folder has access settings for each group:
in addition to that, each folder has inheritance settings for each group
the command icacls /reset will set the default ACL of a file or folder to whatever is inherited from the folder it is in
in order to reset a folder with all included files and subfolders to the default it will take three steps:
- open elevated cmd (not PowerShell)
- take ownership of all files and folders, if necessary (to be able to change ACLs in the first place)
- set the correct ACLs of the topmost folder, including inheritance
- reset the ACLs for everything below this topmost folder
- take ownership with:
- set the Windows default ACLs of the topmost folder with:
note: /remove:d deletes all «deny» ACLs (which would override «grant» ACLs)
note: to replace the ACLs, instead of adding to them, use ‘grant:r’ instead of ‘grant’
note: if you don’t care for individual permissions and just want everyone to be able to access the files, use: icacls /remove:d Everyone /grant:r Everyone:F
- reset ACLs for everything below the topmost folder to the ACLs of the topmost folder with:
Deny all folders permission from all users/administrators via CMD/Batch in Windows 7/8/10
I need to deny all folder permissions for all users, include administrators and others groups via batch file.
I found two topics about this, but i can’t solve my problem
This command works icacls D:\Desktop\test /deny Administrator:(OI)(CI)(DE,DC) , but this command affects only special permissions:
But I need to deny all others permissions like image:
I need to deny all permissions to all all users (administrators, system, and others) via batch, so that nobody can access this folder, not even the system, or the creator of the folder.
2 Answers 2
I hope I have helped you, This will change the permissions to ALL deny. To undeny it simply do this code
I think you should learn more about NTFS permissions (technically, the Discretionary Access Control Lists (DACL)) before complaining the appearances of the GUI.
The Security tab in files’ Properties dialog box have limited control over what permissions you can allow, and what you can deny. You should also ideas about the purposes of the built-in user groups, because specifically, the groups that appear in the GUI are never the only groups your system has (it only shows users or groups that have permission entries applied on the files).
For now, I will assume that you want to deny access to Everyone.
First: simply clicking Deny on Full control on all the users on the list is not enough.
You need to Deny two groups for this: the Everyone group and the Anonymous Logon group. (Because «Everyone» no longer includes anonymous logon since Windows XP)
After everyone is denied, it might be a good idea to remove inherited permission entries as well, since they no longer apply and waste your system a little time processing those entries.
With the guide above, I think you can teach yourself to operate all these on the GUI. The result should look something like this:
If you still have no idea what to do, here is the command-line equivalent (using icacls command — you need Windows Vista SP1 or later because of /inheritance option):
If the names «Everyone» or «Anonymous Logon» don’t work for you.
(Yes, it’s the same thing, but with SIDs specified in place of user names.)
Here is one caveat though: The owner of the files can change permissions whenever they want. And the Administrators can change the owner of the files at least to themselves. These are special privileges granted by the system that you can’t deny, so with a bit of effort, all process of setting this DACL are reversible by Administrators.
Change Windows 7 file permissions from command prompt
How can I change Windows 7 file permissions using the command prompt?
I want to change permissions in program files, but cacls is not working for me.
6 Answers 6
cacls is depcriated in Windows 7. You need to use ICACLS instead of cacls .
This command is granting the privileges.
To change permissions, use an administrator account on that machine to run CACLS . If you have UAC enabled, you may have to elevate the command prompt first by right-clicking on it and choosing «Run as Administrator».
You can use cacls as follows:
For example, to grant your user account full (F) control to files , you would use the following command (typed in an elevated Windows command prompt):
Read complete help by typing following command:
If, for any reason, files have become disassociated with the administrator account in Windows 7, using ICACLS will NOT restore them.
You are forced to manually click EACH file, one at a time, and select Properties > Security tab > Advanced button > Permissions tab > Continue button.
If enabled, approve UAC prompt for Permissions Editor for Files and Folders and Uncheck Include inheritible permissions from thsi object’s parent. Click the Remove button when prompted, then re-enable Include inheritible permissions, click OK.
This will restore your accesss to the file.
How can this be accomplished against an entire folder or set of files? Using ICACLS *.* /RESET does not work; it ends in error «Access is denied» for the files in question.
