You need to control who can access, modify, or delete files on your Windows computer. That’s where icacls.exe comes in. This built-in Windows command-line tool lets you view, modify, backup, and restore file and folder permissions with precision that the graphical interface simply can’t match.
In this guide, you’ll learn exactly how icacls.exe works, when to use it, and how to solve real permission problems you face every day.
What Is icacls.exe?
icacls.exe (Integrity Control Access Control Lists) is a Windows command-line utility that manages NTFS file and folder permissions. It replaced the older cacls.exe tool starting with Windows Vista and offers more functionality.
Location: C:\Windows\System32\icacls.exe
Purpose: Display, modify, backup, and restore Access Control Lists (ACLs) for files and directories.
Key advantage: You can automate permission changes across thousands of files instantly. The Windows Properties dialog becomes impractical when you need bulk changes or precise control.
Why Use icacls.exe Instead of GUI Tools?
The graphical permissions interface works fine for simple tasks. But icacls.exe excels when you need:
Bulk operations: Change permissions on hundreds of folders simultaneously.
Automation: Script permission changes that run automatically.
Inheritance control: Precisely manage how permissions flow to subfolders.
Advanced permissions: Access permission types not visible in the GUI.
Remote management: Modify permissions on network shares from your command line.
Troubleshooting: Diagnose permission issues the GUI can’t show clearly.
Basic icacls.exe Syntax
Open Command Prompt or PowerShell as Administrator to use icacls.exe. Here’s the basic structure:
icacls [filepath] [/parameter]
Common parameters:
/grant– Add new permissions/deny– Explicitly deny permissions/remove– Delete permissions/reset– Reset permissions to default inherited values/inheritance– Control inheritance settings/save– Backup permissions to a file/restore– Restore permissions from backup
Understanding Permission Masks
icacls.exe uses abbreviated codes for permissions. You must understand these to use the tool effectively.
Basic Permission Codes
| Code | Permission | What It Means |
|---|---|---|
| F | Full control | Complete access to everything |
| M | Modify | Read, write, delete files and subfolders |
| RX | Read and execute | View contents and run programs |
| R | Read | View file contents only |
| W | Write | Create new files and write data |
| D | Delete | Remove files and folders |
Advanced Permission Codes
| Code | Permission | What It Means |
|---|---|---|
| DE | Delete | Delete files specifically |
| RC | Read control | Read security information |
| WDAC | Write DAC | Change permissions |
| WO | Write owner | Take ownership |
| S | Synchronize | Access for synchronization |
Inheritance Codes
(OI)– Object inherit (files in this folder)(CI)– Container inherit (subfolders)(IO)– Inherit only (applies to children, not this object)(NP)– Don’t propagate (don’t pass to grandchildren)(I)– Permission inherited from parent
How to View File Permissions with icacls.exe
Start by examining current permissions. This helps you understand what exists before making changes.
View permissions for a single file:
icacls C:\Users\Documents\report.docx
View permissions for a folder:
icacls C:\Projects
Output example:
C:\Projects BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
DOMAIN\JohnDoe:(OI)(CI)(M)
This shows:
- Administrators have full control, inherited by objects and containers
- SYSTEM account has full control
- User JohnDoe has modify permissions
View permissions for all files in a folder:
icacls C:\Projects\*
View permissions recursively (all subfolders):
icacls C:\Projects\* /T
The /T parameter traverses all subdirectories.
Granting Permissions with icacls.exe
Adding permissions gives users or groups access to files and folders.
Grant Full Control to a User
icacls C:\Projects /grant JohnDoe:F
This gives JohnDoe full control over the Projects folder only, not its contents.
Grant Permissions with Inheritance
icacls C:\Projects /grant JohnDoe:(OI)(CI)F
This grants full control to the folder, all files inside it (OI), and all subfolders (CI).
Grant Modify Permissions
icacls C:\SharedFiles /grant "Marketing Team":(OI)(CI)M
Put group names with spaces in quotes. The Marketing Team can now modify files but can’t change permissions.
Grant Read-Only Access
icacls C:\Reports /grant Interns:(OI)(CI)RX
Interns can read and execute files but cannot modify anything.
Grant Multiple Permission Types
icacls C:\Data /grant User1:(OI)(CI)M User2:(OI)(CI)RX
Grant different permissions to multiple users in one command.
Removing Permissions with icacls.exe
Remove permissions when users no longer need access or you’re fixing permission issues.
Remove All Permissions for a User
icacls C:\Projects /remove JohnDoe
Removes all of JohnDoe’s permissions from the Projects folder.
Remove Inherited Permissions
icacls C:\Projects /remove:g JohnDoe
The /remove:g parameter removes only granted permissions, not inherited ones.
Remove Permissions Recursively
icacls C:\Projects /remove JohnDoe /T
Removes JohnDoe’s permissions from the folder and everything inside it.
Denying Permissions with icacls.exe
Deny permissions override all other permissions. Use them sparingly because they can cause unexpected access problems.
Deny Access to a Specific User
icacls C:\Confidential /deny JohnDoe:(OI)(CI)F
JohnDoe cannot access this folder even if he belongs to a group that has permissions.
Deny Write Access Only
icacls C:\ReadOnlyData /deny Users:(OI)(CI)W
Users can read files but cannot write or modify anything.
Important: Deny permissions always win. If a user has both grant and deny permissions, the deny takes effect.
Resetting Permissions to Default
When permissions become corrupted or overly complex, reset them to Windows defaults.
Reset Single Folder Permissions
icacls C:\Projects /reset
Restores default inherited permissions from the parent folder.
Reset Permissions Recursively
icacls C:\Projects\* /reset /T /C
/Tapplies to all subdirectories/Ccontinues on errors instead of stopping
This command is invaluable when fixing permission problems across an entire directory structure.
Managing Permission Inheritance
Inheritance determines whether permissions flow from parent to child folders. Understanding it prevents permission conflicts.
Disable Inheritance and Copy Permissions
icacls C:\Projects /inheritance:d
Disables inheritance but keeps existing inherited permissions as explicit permissions.
Disable Inheritance and Remove Inherited Permissions
icacls C:\Projects /inheritance:r
Disables inheritance and removes all inherited permissions. Only explicitly set permissions remain.
Enable Inheritance
icacls C:\Projects /inheritance:e
Re-enables inheritance from the parent folder.
Taking Ownership with icacls.exe
Sometimes you need ownership rights before you can change permissions.
Take Ownership of a File
takeown /f C:\Projects\locked.docx
icacls C:\Projects\locked.docx /grant Administrators:F
First use takeown to become owner, then grant yourself full control.
Take Ownership Recursively
takeown /f C:\Projects /r /d y
icacls C:\Projects /grant Administrators:(OI)(CI)F /T
Takes ownership of everything in Projects, then grants full control.
Backing Up and Restoring Permissions
Save permissions before making major changes. You can restore them if something goes wrong.
Save Permissions to a File
icacls C:\Projects /save C:\Backup\projects_acl.txt /T
Saves all permissions for Projects and its contents to a text file.
Restore Permissions from Backup
icacls C:\Projects /restore C:\Backup\projects_acl.txt
Restores previously saved permissions.
Pro tip: Always backup permissions before running complex permission scripts. This saved me countless hours when automated scripts went wrong.
Real-World icacls.exe Examples
These practical examples solve common permission problems.
Example 1: Give Department Folder Access
Scenario: Create a folder where the Sales team has full control but other users can only read.
icacls C:\Departments\Sales /grant "Sales Team":(OI)(CI)F
icacls C:\Departments\Sales /grant "Domain Users":(OI)(CI)RX
Example 2: Lock Down Sensitive Files
Scenario: Only administrators can access payroll files.
icacls C:\Payroll /inheritance:r
icacls C:\Payroll /grant Administrators:(OI)(CI)F
icacls C:\Payroll /grant SYSTEM:(OI)(CI)F
This removes all inherited permissions and grants access only to Administrators and SYSTEM.
Example 3: Fix “Access Denied” Errors
Scenario: Users suddenly can’t access a folder they previously could.
icacls C:\SharedFolder /reset /T /C
icacls C:\SharedFolder /grant "Domain Users":(OI)(CI)M
Reset permissions and re-grant appropriate access.
Example 4: Migrate Permissions to New Server
Scenario: Copy permissions from old file server to new one.
icacls \\OldServer\Share /save \\NewServer\Backup\acl.txt /T
icacls \\NewServer\Share /restore \\NewServer\Backup\acl.txt
Example 5: Remove All User Permissions Except Admin
Scenario: Clean up a folder with too many permission entries.
icacls C:\CleanFolder /inheritance:r
icacls C:\CleanFolder /grant Administrators:(OI)(CI)F /T
icacls C:\CleanFolder /grant SYSTEM:(OI)(CI)F /T
Common icacls.exe Error Messages and Solutions
“Access is denied”
Cause: You don’t have permission to change the permissions.
Solution: Run Command Prompt as Administrator or take ownership first.
takeown /f C:\Folder /r /d y
icacls C:\Folder /grant %username%:F /T
“The process cannot access the file because it is being used”
Cause: Another program has the file open.
Solution: Close all programs using the file or restart the computer.
“The security descriptor propagation command failed”
Cause: Inheritance settings conflict with existing permissions.
Solution: Reset inheritance before making changes.
icacls C:\Folder /inheritance:e /T /C
“Invalid parameter”
Cause: Syntax error in your command.
Solution: Check for:
- Missing colons after usernames
- Incorrect permission codes
- Missing quotes around names with spaces
- Wrong slash direction (use
/not\for parameters)
icacls.exe vs. cacls.exe vs. GUI
When to Use Each Tool
Use icacls.exe when:
- You need precise control over permissions
- You’re automating permission changes
- You’re working with complex inheritance scenarios
- You’re managing permissions across many files
Use GUI when:
- You’re making simple one-time changes
- You need to see visual permission structure
- You’re learning about Windows permissions
- You prefer point-and-click interfaces
Avoid cacls.exe:
- It’s deprecated since Windows Vista
- icacls.exe provides better functionality
- cacls.exe may be removed in future Windows versions
Learn more about NTFS permissions and security from Microsoft’s official documentation.
Security Best Practices with icacls.exe
1. Always Test First
Test commands on a single folder before running them across your entire system.
icacls C:\TestFolder /grant User:F
Verify it worked, then scale up.
2. Use Least Privilege Principle
Grant the minimum permissions needed. Don’t give full control when modify or read-only works.
3. Document Permission Changes
Keep a log of what you changed and why.
icacls C:\Folder /save C:\Logs\permissions_2026-01-15.txt /T
4. Regular Permission Audits
Review permissions quarterly to remove unnecessary access.
icacls C:\* > C:\Audit\permissions_audit.txt /T
5. Never Remove SYSTEM Account Permissions
The SYSTEM account needs access for Windows to function properly. Always keep:
icacls C:\Folder /grant SYSTEM:(OI)(CI)F
6. Backup Before Bulk Changes
Save permissions before running scripts that modify hundreds of files.
Scripting icacls.exe for Automation
Create batch scripts or PowerShell scripts to automate repetitive permission tasks.
Batch Script Example
Create a .bat file:
@echo off
echo Setting up department folders...
icacls C:\Departments\Sales /grant "Sales Team":(OI)(CI)M
icacls C:\Departments\Marketing /grant "Marketing Team":(OI)(CI)M
icacls C:\Departments\IT /grant "IT Team":(OI)(CI)F
echo Complete!
pause
PowerShell Script Example
$folders = @("Sales", "Marketing", "IT", "HR")
foreach ($folder in $folders) {
$path = "C:\Departments\$folder"
icacls $path /grant "${folder} Team:(OI)(CI)M"
Write-Host "Configured $folder permissions"
}
PowerShell gives you more control and error handling than batch scripts.
Schedule Automated Permission Audits
Use Task Scheduler to run permission audits automatically:
icacls C:\Shares\* > "C:\Logs\audit_%date%.txt" /T
Set this to run monthly through Windows Task Scheduler.
Advanced icacls.exe Techniques
Copy Permissions from One Folder to Another
icacls C:\SourceFolder /save C:\temp\acl.txt /T
icacls C:\DestinationFolder /restore C:\temp\acl.txt
Set Permissions on Network Shares
icacls \\ServerName\ShareName /grant Domain\User:(OI)(CI)M
Works with UNC paths for remote file management.
Find Files with Specific Permissions
icacls C:\* /T /C | findstr "JohnDoe"
Lists all files where JohnDoe has permissions.
Replace All Permissions Recursively
icacls C:\Projects /grant:r Administrators:(OI)(CI)F /T
The :r flag replaces all existing permissions instead of adding to them.
Troubleshooting Complex Permission Issues
Problem: Permissions Keep Reverting
Cause: Inheritance is re-applying parent permissions.
Solution: Disable inheritance first.
icacls C:\Folder /inheritance:r
icacls C:\Folder /grant User:(OI)(CI)M
Problem: User Has Multiple Conflicting Permissions
Cause: User belongs to multiple groups with different permissions.
Solution: Check effective permissions.
icacls C:\Folder
Look for all entries for the user and their groups. Deny permissions always win.
Problem: Can’t Delete Files Even as Administrator
Cause: Missing delete permissions or ownership issues.
Solution:
takeown /f C:\File.txt
icacls C:\File.txt /grant Administrators:F
del C:\File.txt
Problem: Permissions Won’t Apply to Existing Files
Cause: Need to propagate to existing files.
Solution: Use /T to apply recursively to all existing content.
icacls C:\Folder /grant User:(OI)(CI)M /T
For detailed Windows security concepts, refer to Microsoft’s security documentation.
Performance Considerations
Large Directory Structures
When working with thousands of files, icacls.exe can take significant time.
Optimize with these techniques:
Use /C to continue on errors instead of stopping:
icacls C:\LargeFolder\* /reset /T /C
Process in smaller chunks during off-hours:
icacls C:\LargeFolder\SubFolder1\* /grant User:M /T
icacls C:\LargeFolder\SubFolder2\* /grant User:M /T
Run from a local administrator account rather than over the network.
Network Share Performance
Network permissions operations take longer. Minimize network latency by:
- Running commands from the server directly when possible
- Using robocopy /SEC to copy files with permissions intact
- Scheduling large permission changes during low-usage periods
Summary
icacls.exe gives you complete control over Windows file and folder permissions through the command line. You can view, modify, backup, and restore permissions with precision impossible through the GUI.
Key takeaways:
Master the basic permission codes (F, M, RX, R, W) and inheritance flags (OI, CI, IO).
Always backup permissions before major changes using /save and /restore.
Test commands on small folders before applying them broadly with /T.
Use inheritance control to prevent unwanted permission propagation.
Combine icacls.exe with takeown for complete control over locked files.
Script repetitive permission tasks to save time and reduce errors.
The tool becomes intuitive after you use it regularly. Start with simple view commands, then progress to grants and removals. Keep this guide handy as your reference for syntax and real-world examples.
Your files and folders now bend to your will instead of frustrating you with permission errors. That’s the power of mastering icacls.exe.
Frequently Asked Questions
Can I use icacls.exe on FAT32 drives?
No. icacls.exe only works with NTFS file systems because FAT32 doesn’t support Access Control Lists. Convert your drive to NTFS if you need permission management.
What’s the difference between /grant and /grant:r?
The /grant parameter adds permissions to existing ones. The /grant:r parameter replaces all existing permissions with the new ones you specify. Use /grant:r carefully as it removes all other permissions.
How do I see who owns a file with icacls.exe?
icacls.exe doesn’t directly show ownership. Use this command instead: dir /q C:\filename.txt or Get-Acl C:\filename.txt | Select Owner in PowerShell.
Can icacls.exe work with registry permissions?
No. icacls.exe only manages file and folder permissions. For registry permissions, use the Registry Editor GUI or regini.exe command-line tool.
Why do my permission changes not take effect immediately?
Windows caches permissions in security tokens. Users need to log out and back in for permission changes to fully apply to their session. Alternatively, restart the Windows Explorer process or reboot the computer.
