Apply these permissions to object using icacls

I had this question after viewing 'Access denied' when permission applied via ICACLS; no problem when applied via GUI.

Does anyone know what the icacls command would be to do this? tick the "Only Apply these permissions button?

Cant find anything in google on how to do it.
matt carterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Take a test folder on your desktop: c:\users\someuser\desktop\test
The command
icacls "C:\Users\someuser\Desktop\test" /grant someotheruser:m

Open in new window

will grant modify permissions to this folder for "someotheruser" and apply it to "that folder only".

So you see, by default, icacls is already doing what you want. If you would like inheritance, you would have chosen
icacls "C:\Users\someuser\Desktop\test" /grant someotheruser:(OI)(CI)m

Open in new window

matt carterAuthor Commented:
Thank you for the reply, however when i do this, my someotheruser has access denied, until i manually tick the "Only apply these permissions to object" button. The same as the previous question i linked to.

That person could only get around the access denied once they ticked this button.

my issue is i have a large amount of folders i need to apply this setting, so do not want to do this manually.
On File server, i have used icacls E:\Files\temp\*.* /c /grant "MYDomain\Domain Users":(OI)(CI)(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC)
Then, when any domain users try to access, they get access denied, i tick that button, they have access.
I manually do these settings using GUI, they have access (without ticking that box).
Be so kind to follow my suggestion and test it right like I did with a folder on your desktop. You will see that that command will apply the permission entry only to that folder and not to subfolders. Try it, so that we are on the same page. Then please upload screenshots that demonstrate what you need to do with this example folder on the desktop so that it works to your liking.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

matt carterAuthor Commented:
Yes, that process worked when using a desktop folder, and the code you provided, however this is not what i am wanting to achieve.
Modify access gives the user the right to delete the folder. this is the exact thing i want to prevent.

I need the user to not be able to delete / move C:\Users\someuser\Desktop\test - however have delete access to all sub folders.

I have uploaded 2 screen shots.
1st is the normal settings, where users have normal modify access (current settings), they can move / delete parent folder
2nd is the settings i need it to be, however the Users get an access denied if i use the code
icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC)
If i manually enter in the settings using the GUI so they match "exactly" the same as the 2nd screenshot, the user has access, cannot move / delete folder, however can on sub folders. Which is how i want it to happen.
So something in my code is wrong / missing, something, i dont know what.

I have 1000+ folders to do this too, so manually is not an option.
matt carterAuthor Commented:

Let us try something different.



what code would be used to grant user access to folder1, but not be able to delete it / move it.

and also grant access to delete / move subfolder1
matt carterAuthor Commented:

In the end...and as i had said and always thought, something was wrong with my code i was using. so i went back to the absolute basics.

I deleted all test folders and started again.

Then using icacls E:\Files\Temp\*.* /c grant "Users":(OI)(CI) i then done one more command and tested. if it was on the right path but not 100%. I deleted all folders and started again, this time adding 1 additional command. Tested, and same process as before.

Each command i tested to see if i could enter the folder, and not get the Access Denied error.

So it went like this

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX) - gave me read and execute files, but not delete subfolders (Could access the folder though) so i deleted all folders and started again with the code

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX, RD),

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX, RD, WD)

eventually i got to the code

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX,RD,WD,AD,DC)

Which gave me 100% what i am after

The other codes i was using in my original code were

X,RA,REA,WA,WEA,RC - one of these codes was causing the access denied error

Thank you all for your input and help

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
matt carterAuthor Commented:
Figured out the issue myself
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.