Avatar of matt carter
matt carter
 asked on

Apply these permissions to object using icacls

I had this question after viewing 'Access denied' when permission applied via ICACLS; no problem when applied via GUI.

Does anyone know what the icacls command would be to do this? tick the "Only Apply these permissions button?

Cant find anything in google on how to do it.
OS Security

Avatar of undefined
Last Comment
matt carter

8/22/2022 - Mon

Take a test folder on your desktop: c:\users\someuser\desktop\test
The command
icacls "C:\Users\someuser\Desktop\test" /grant someotheruser:m

Open in new window

will grant modify permissions to this folder for "someotheruser" and apply it to "that folder only".

So you see, by default, icacls is already doing what you want. If you would like inheritance, you would have chosen
icacls "C:\Users\someuser\Desktop\test" /grant someotheruser:(OI)(CI)m

Open in new window

matt carter

Thank you for the reply, however when i do this, my someotheruser has access denied, until i manually tick the "Only apply these permissions to object" button. The same as the previous question i linked to.

That person could only get around the access denied once they ticked this button.

my issue is i have a large amount of folders i need to apply this setting, so do not want to do this manually.
On File server, i have used icacls E:\Files\temp\*.* /c /grant "MYDomain\Domain Users":(OI)(CI)(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC)
Then, when any domain users try to access, they get access denied, i tick that button, they have access.
I manually do these settings using GUI, they have access (without ticking that box).

Be so kind to follow my suggestion and test it right like I did with a folder on your desktop. You will see that that command will apply the permission entry only to that folder and not to subfolders. Try it, so that we are on the same page. Then please upload screenshots that demonstrate what you need to do with this example folder on the desktop so that it works to your liking.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
matt carter

Yes, that process worked when using a desktop folder, and the code you provided, however this is not what i am wanting to achieve.
Modify access gives the user the right to delete the folder. this is the exact thing i want to prevent.

I need the user to not be able to delete / move C:\Users\someuser\Desktop\test - however have delete access to all sub folders.

I have uploaded 2 screen shots.
1st is the normal settings, where users have normal modify access (current settings), they can move / delete parent folder
2nd is the settings i need it to be, however the Users get an access denied if i use the code
icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC)
If i manually enter in the settings using the GUI so they match "exactly" the same as the 2nd screenshot, the user has access, cannot move / delete folder, however can on sub folders. Which is how i want it to happen.
So something in my code is wrong / missing, something, i dont know what.

I have 1000+ folders to do this too, so manually is not an option.
matt carter


Let us try something different.



what code would be used to grant user access to folder1, but not be able to delete it / move it.

and also grant access to delete / move subfolder1
matt carter

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
matt carter

Figured out the issue myself
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.