- Bohack - https://www.bohack.com -

Mastering Permissions with icacls.exe Command thru the GUI

The key to mastering permissions at the command line in Vista and Windows Server 2008 Server is learning the icacls.exe command. With the introduction of Windows Vista, you can no longer select multiple items like folders and files and apply permissions to a group of objects. The recommended way is to use the command line and the icacls.exe command.

The icacls.exe command was introduced in Windows 2003 Service Pack 2. It now comes installed by default in Windows Vista, Windows Server 2008 (R2) and Windows 7. So administrators will need to learn this command sooner or later. Recently I found the tool to be very flexible and I extensively documented the options. I mapped the different command line options to the GUI, for the network admins that need the GUI to understand how to use the command line.

The first point that should be made about icacls.exe is that it defaults to edit mode. The original cacls command defaults to replace mode. Next are the commands:

/grant will grant user permissions or the add option in the GUI.
/remove will remove the user from the DACL and is equivalent to
 the remove option in the GUI.

Note: /remove:g will remove only grants for the user 
      and /remove:d will remove only denys for the user.

/deny is equivalent to the deny column in the GUI 
 and should always be used cautiously.
/setowner is a handy little command which allows you to change 
 the ownership of a file or folder to another user; 
 this is similar to the linux chown command.
/findsid which finds entries in a DACL for a specified SID or user.
/setintegritylevel is a bit out of the scope of this article 
 and may be in a future article.

The icacls command also has an /inheritance command which performs the same function as un-checking the “Include inheritable permission from this object’s parent” in the GUI. This of course presents you with the question of how to proceed; copy the permissions or remove all existing permissions. So the command line you can specify:

/inheritance:e to enable same as a check box in the GUI.
/inheritance:d to disable and copy the permissions 
 from the parent same as the GUI.
/inheritance:r to disable and remove the 
 current permissions again same as the GUI.
Windows GUI mapped to icacls commands

The next thing to learn is how inheritance is propagated for permissions. When using either the /grant or /deny statement you will build the permissions as /grant {user}:{inheritance}{permissions} everything is encapsulated by parenthesis. The default in Windows when applying permissions in the GUI is “This folder, subfolders and files”, but to achieve the default at the command line you need to use /grant {user}: (OI)(CI){permissions} and the permissions should be encapsulated in parenthesis. The table below is to help you formulate your inheritance for permissions:

This folder only
This folder, subfolders and files (OI)(CI)
This folder and subfolders (CI)
This folder and files (OI)
Subfolders and files only (OI)(CI)(NP)(IO)
Subfolders only (CI)(IO)
Files only (OI)(IO)

The last thing to learn is the permissions. You can use macro permissions, which are also called simple permissions or you can use advanced permissions. The simple permissions are the permissions found in the first properties tab under security. The advanced permissions are when you select advanced and you get the full permissions list. So building on the permissions line from above; if we wanted to grant testuser on the folder test and apply modify permissions so all subfolders and files inherited the permissions. The line would be ‘icacls test /grant testuser:(OI)(CI)(M)

Simple Permissions

Full Control (F)
Modify (M)
Read & Execute (RX)
List Folder Contents (X,RD,RA,REA,RC)
Read (R)
Write (W)

Advanced Permissions

Full Control (F)
Traverse folder / execute file (X)
List folder / read data (RD)
Read attributes (RA)
Read extended attributes (REA)
Create file / write data (WD)
Create folders / append data (AD)
Write attributes (WA)
Write extended attributes (WEA)
Delete subfolders and files (DC)
Delete (D)
Read permissions (RC)
Change permissions (WDAC)
Take ownership (WO)

When you master this command you will be able to do anything with permissions from the command line. Including understanding the SDDL or Security Descriptor Definition Language; which Microsoft uses to create group policy permissions.