A command-line tool to audit and modify file permissions makes a valuable addition to any systems administrator's toolbox. In Windows Vista and Windows Server 2003 Service Pack 2 (SP2), Microsoft included an updated version of its Cacls tool (cacls.exe) called Icacls (icacls.exe). Icacls helps you review, set, save, and restore folder and file permissions using user or group names or SIDs. Let's take Icacls out for a spin by using it to review, set, save, and restore rights on a set of folders.
Unlike Cacls, Icacls lets you save the ACL configurations of a folder and its subdirectories to a file and restore them later. Icacls offers the ability to search a set of directories for any rights that a particular SID has. You can grant or deny rights based not only on a user or group name but also on a SID. If you need to change more than just a few permissions or to repeatedly audit a set of folders, you'll find that Icacls is a time-saver. Using Icacls also reduces the chance of error, because you can make your changes in a text file (or a program such as Microsoft Excel) and then execute all the changes after you’ve double-checked your settings.
For demonstration purposes, we'll use a set of folders named HR, Finance, and IT contained in a parent directory called Documents. You'll need to create domain local groups named HR-Author, HR-Reader, Finance-Author, Finance-Reader, IT-Author, and IT-Reader, into which you'll add users who need either modify (i.e., author) or read-only (i.e., reader) access. This is a common permission model and will demonstrate the usefulness of Icacls.
Breaking Folder Inheritance
To set permissions on a subdirectory that are different from the permissions on the parent directory, you must first break folder permission inheritance. To do this, use the GUI to check for and remove any unwanted inherited ACLs and access control entries (ACEs) affecting the Documents folder.
Next, set the inheritance behavior of the ACEs that you add to the Documents folder. Right-click the Documents folder and click Properties. Click the Security tab, then the Advanced button. Select the Permissions tab, click Edit, and review the listed permissions entries. You should see entries labeled Domain Admins, Folder Operators, SYSTEM, and possibly others. Clear the Include inheritable permissions from this object’s parent check box in the Edit dialog box. Click the Copy button to copy the permissions entries. Now you've broken inheritance but have preserved the ability for the original groups, such as Domain Admins, to access the folder. Next, individually remove any permissions that you don’t want for the Documents folder by clicking the name of the ACE and then clicking Remove.
Now that you’ve broken inheritance and removed any unwanted permissions, run the command
icacls documents /T
to review the Documents folder’s ACLs, as Figure 1 shows.
Icacls lists all the rights of the Documents folder and—because you specified the /T parameter—its subdirectories (i.e., \Finance, \HR, \IT). At the end of each ACE (e.g., in documents\HR DOMAIN\Domain Admins: (I)(OI)(CI)(F)), you can see a list of the inheritance properties and the simple and specific rights. If the ACE is inherited from its parent, you'll see (I) listed before all of the other rights. We broke inheritance at the Documents level, but subdirectories under Documents still inherit from Documents.
Icacls also lets you set and observe the inheritance behavior of an object. For example, the applied inheritance This folder, subfolders, and files is denoted as (OI)(CI), which means that Object Inherit (OI) and Container Inherit (CI) are enabled. Icacls also uses the Inherit Only (IO) and Non-Propagate (NP) inheritance flags. You can set these inheritance properties when you use Icacls to define an ACE.
(F) represents Full access and (M) represents Modify access. Table 1 lists all the codes Icacls uses to define simple and specific rights.
Useful Commands to Get You Out of Trouble
Before you write a series of Icacls commands to set the permissions and inheritance for the subdirectories, back up the current ACLs using Icacls’ Save feature. Run the command
icacls documents\* /save acl-documents /T
to back up the ACLs of the Documents directory and its subdirectories to a file named acl-documents located in the directory in which you ran the Icacls command. It's a good idea to back up the ACLs because if you make a mistake when you’re tweaking them, you can quickly restore them to the point at which you saved them. To restore the ACLs, use the /restore parameter:
icacls Documents /restore acl-documents
You can also reset the permissions by running the command
icacls documents /reset /T
This command essentially enables permission inheritance at the folder level that you specified and wipes out any custom permissions on underlying directories. In addition to resetting any permissions work you’ve done on the Documents folder and its subdirectories, this command also re-enables inheritance, so use it with care.
Now, let's set permissions to allow a group to read from a specific folder. To grant the read and execute access (RX) right for the HR-Reader group to the Documents/HR directory, run the following command:
icacls documents\HR /grant "Domain\HR-Reader": (OI)(CI)(RX)
where Domain is the name of your domain.
This command adds a new ACE to the directory, but you could use the optional /grant:r parameter to replace previously set explicit rights. Also, this command adds the (OI) and (CI) inheritance flags so that any new folders or files placed into the HR directory inherit these rights. You can easily test whether the inheritance flags are working by creating a new subdirectory under the HR folder and running the command
icacls documents/HR /T
which shows you that the HR-Reader group has inherited the read and execute access (RX) right to the new folder that you created. If you omit the (OI)(CI) inheritance flags, your ACE will apply only to the folder on which you set it.
After you've set up one group's command the way you want it, you can then create Icacls commands for your remaining groups. The following commands set the permissions for our sample folders and groups:
icacls documents\HR /grant:r "domain\HR-Reader": (OI)(CI)(RX) icacls documents\Finance /grant:r "Domain\Finance-Reader": (OI)(CI)(RX) icacls documents\IT /grant:r "Domain\IT-Reader": (OI)(CI)(RX) icacls documents\HR /grant:r "Domain\HR-Author": (OI)(CI)(M) icacls documents\Finance /grant:r "Domain\Finance-Author": (OI)(CI)(M) icacls documents\IT /grant:r "Domain\IT-Author": (OI)(CI)(M)
Verifying and Auditing Permissions
After you run these commands, you can verify that the ACEs are properly set by again running the Icacls command with the /T parameter. Figure 2 shows the results; you can see that the subdirectories are correctly inheriting permissions. Icacls also includes a parameter called /findsid, which is useful for discovering whether a particular SID has rights to a folder or set of folders. For example, you can see whether the user jeff has rights in the Documents folder or any of its subdirectories by running the following command:
icacls documents /findsid "Domain\jeff" /T
Icacls audits the permissions and reports its findings. As Figure 3 shows, the user jeff has access to the Documents folder and the HR\salaries subdirectory. The /findsid parameter can also be quite useful in determining whether someone inappropriately changed permissions in a large directory structure where manually checking permissions is impractical. For more information about Icacls, see the Windows IT Pro article Windows Power Tools: "Icacls: The New and Improved Cacls?" May 2007, InstantDoc ID 95346.