How to grant full control to a directory tree?

Posted on 2014-07-18
Last Modified: 2014-07-26
On Windows Server 2012, I am trying to grant myself "full control" on a directory tree.  Using "command prompt" and "running as administrator", I executed

icacls <filePath> /grant:r <domainName>\<userName>:(OI)(CI)F /inheritance:e

Here is a synopsis of the command arguments:

   /grant:r        grant, replacing previous permissions
   (OI)            object inherit
   (CI)            container inherit
   F               full control
   /inheritance:e  enables inheritance

This command runs, but does not grant me full control of the entire directory tree.  While running as domainName\userName, I still get "Permission denied" errors.  Apparently, I am not doing something quite right.
Question by:CFS_developer
    LVL 3

    Accepted Solution

    You may have to force ownership of the folder before you can edit those permissions on it.  Try this to take ownership first, then try that command:

    To Take Ownership of a Folder or Drive using TAKEOWN Command
    NOTE: This command will take ownership of the folder or drive, and all files and subfolders in the folder or drive.

    A) In the elevated command prompt, type the command you want below, press Enter, and go to step 5 below.
    NOTE: Substitute full path of folder or drive with the full path of the folder or drive letter that you want to take ownership of within quotes.

    (To grant currently logged on user ownership of)

    takeown /F "full path of folder or drive" /R /D Y

    (To grant administrators group ownership of)

    takeown /F "full path of folder or drive" /A /R /D Y

    For example:

    takeown /F "F:" /A /R /D Y

    takeown /F "F:\Folder" /A /R /D Y


    This should work the same for Server 2012 since it works for Windows 8.  Continue to run the cmd as administrator, and this should help you out!

    Additionally, you may have to force the permissions to cascade through the directory, this is a known bug on S2012 sometimes.  To do this, you can follow these instructions at technet:
    LVL 95

    Assisted Solution

    by:Lee W, MVP
    First of all, you should NEVER assign permissions to an account.  Think how long it's going to take to change the permissions on everything and what happens if you later want to add another person to have full control?

    Create a GROUP, put yourself into that group, and assign full control to the group.  Later, if you want to add or remove people from access, it's as simple (AND FAST) as adding or removing them to the group.

    Second, as stated above, take ownership of everything.  Then you can change permissions.
    LVL 3

    Assisted Solution

    by:Mitchell Milligan
    Lee is correct, you should create a group first, then assign that group.  That slipped my mind, but thanks for the input Lee.

    Author Comment

    If I create a group, how do I recursively assign ownership to that group?  The takeown command only assigns to the user running the program or to the administrators group.
    LVL 95

    Assisted Solution

    by:Lee W, MVP
    Take ownership for you and then assign the group.  There's always going to be a first, so to speak, when you need to change something, but by using a group you won't waste your time EVERY time in the future.

    Assisted Solution

    The Windows commands to recursively adjust file permissions failed on some of the files and folders.  My solution was to utilize Cygwin's unix-type utilities in conjunction with Windows commands:

    chmod -R ugo+rwx fileName
    takeown /F fileName /R
    icacls fileName /grant:r domain\user:(OI)(CI)F /inheritance:e
    chmod -R o-rwx fileName

    Most likely, some of the above commands are superfluous, but the overall flow worked.  Good enough.  

    Cygwin is available from

    Now that I have personal ownership and access for the directory tree, I can concern myself with group assignment.

    Thanks everybody for your help.

    Author Closing Comment

    My comment does indeed provide part of the solution.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now