As every Windows administrator knows, NTFS permissions are some of our most useful weapons in the battle to keep our systems secure. In some cases, the Folder Options' Security tab offers an easy way to make minor permissions tweaks, but for repeatable or more complex jobs, the command line has always offered the most powerful tools, and in this case, the best one for the job has been Cacls—short for change access control list. However, Cacls has a few blind spots—for example, it's difficult to set permissions on a folder so that they're inherited. Because of these flaws, Microsoft might not include it in future Windows versions (although the tool is still around in Windows Vista).
Microsoft isn't leaving us out in the cold, though: Vista offers another permissions-focused command-line tool called Icacls. Just as Cacls does, Icacls lets you add or remove permissions, and at first glance Icacls appears to be a complete Cacls replacement. But it's not—it does a few things that Cacls can't do, and it lacks one extremely useful Cacls feature: You can't use it to hand-code a Security Descriptor Definition Language (SDDL) string. But in general, you'll find that Icacls improves upon Cacls.
How It Works
Icacls shows you a file's or folder's explicit and inherited file permissions, albeit in a somewhat encoded format. For example, if I create a file named test.txt, use the GUI to add an explicit Full Control permission for myself, and type
I'll get the output that Figure 1 shows.
The first permission—vbus32\Mark:(F)—shows that a local account named Mark has Full Control permissions on the vbus32 system. (F is Icacls shorthand for Full Control, as it is for Cacls.) The next permission refers to the System account, but notice that its permission contains not only an F but also an I. The I tells you that System inherited the Full Control permission. Interestingly, there's no code for explicit permissions—only for inherited permissions. Icacls has many other codes, but let me highlight two more codes in Figure 1's example: M is the Modify permission, and RX comprises the Read and Execute permissions.
You can use the /grant option to give a file or folder a permission. In its simplest form, it looks like
So, to give an account named Joe the power to delete test. txt, I could type
icacls test.txt /grant joe:d
(Incidentally, case doesn't matter. I could also have typed JOE:D, Joe:D, or joe:D.)
Note that when you use Cacls to grant a permission, you also (by default) remove all previously existing permissions, including the inherited ones! You can fix that by adding the /E option to Cacls, but I've forgotten /E often enough to welcome Icacls' new syntax. In short, Icacls doesn't first remove all existing permissions before granting a new one. If, however, you want Icacls to first remove any permissions that a given user has before granting a new one, you can replace /grant with /grant:r. For example, if I were to give Joe the Modify permission by typing
icacls test.txt /grant joe:m
and then give him Read and Execute permissions by typing
icacls test.txt /grant joe:rx
then the command Icacls Test.txt would show me only Joe's Modify permission, because the Modify permission includes Read and Execute. But if I were to instead type
icacls test.txt /grant:r joe:rx
Joe would have only Read and Execute.
You can use the /remove option to remove any explicit permission. (Icacls seems unable to remove inherited permissions.) To remove all of Joe's permissions, I'd type
icacls test.txt /remove joe
What's the "I" For?
I'm not quite sure what the "I" in Icacls stands for. Perhaps it means "inheritable" because the tool fixes the aforementioned Cacls problem, or maybe it means "integrity" because it lets you control Vista's integrity levels. Or maybe Icacls is just the Apple version of Cacls! Regardless, Icacls is a useful Cacls successor, but there's much more to it, as you'll see next month.