Apply these permissions to object using icacls

matt carter
matt carter used Ask the Experts™
I had this question after viewing 'Access denied' when permission applied via ICACLS; no problem when applied via GUI.

Does anyone know what the icacls command would be to do this? tick the "Only Apply these permissions button?

Cant find anything in google on how to do it.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Take a test folder on your desktop: c:\users\someuser\desktop\test
The command
icacls "C:\Users\someuser\Desktop\test" /grant someotheruser:m

Open in new window

will grant modify permissions to this folder for "someotheruser" and apply it to "that folder only".

So you see, by default, icacls is already doing what you want. If you would like inheritance, you would have chosen
icacls "C:\Users\someuser\Desktop\test" /grant someotheruser:(OI)(CI)m

Open in new window


Thank you for the reply, however when i do this, my someotheruser has access denied, until i manually tick the "Only apply these permissions to object" button. The same as the previous question i linked to.

That person could only get around the access denied once they ticked this button.

my issue is i have a large amount of folders i need to apply this setting, so do not want to do this manually.
On File server, i have used icacls E:\Files\temp\*.* /c /grant "MYDomain\Domain Users":(OI)(CI)(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC)
Then, when any domain users try to access, they get access denied, i tick that button, they have access.
I manually do these settings using GUI, they have access (without ticking that box).
Distinguished Expert 2018

Be so kind to follow my suggestion and test it right like I did with a folder on your desktop. You will see that that command will apply the permission entry only to that folder and not to subfolders. Try it, so that we are on the same page. Then please upload screenshots that demonstrate what you need to do with this example folder on the desktop so that it works to your liking.


Yes, that process worked when using a desktop folder, and the code you provided, however this is not what i am wanting to achieve.
Modify access gives the user the right to delete the folder. this is the exact thing i want to prevent.

I need the user to not be able to delete / move C:\Users\someuser\Desktop\test - however have delete access to all sub folders.

I have uploaded 2 screen shots.
1st is the normal settings, where users have normal modify access (current settings), they can move / delete parent folder
2nd is the settings i need it to be, however the Users get an access denied if i use the code
icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC)
If i manually enter in the settings using the GUI so they match "exactly" the same as the 2nd screenshot, the user has access, cannot move / delete folder, however can on sub folders. Which is how i want it to happen.
So something in my code is wrong / missing, something, i dont know what.

I have 1000+ folders to do this too, so manually is not an option.



Let us try something different.



what code would be used to grant user access to folder1, but not be able to delete it / move it.

and also grant access to delete / move subfolder1

In the end...and as i had said and always thought, something was wrong with my code i was using. so i went back to the absolute basics.

I deleted all test folders and started again.

Then using icacls E:\Files\Temp\*.* /c grant "Users":(OI)(CI) i then done one more command and tested. if it was on the right path but not 100%. I deleted all folders and started again, this time adding 1 additional command. Tested, and same process as before.

Each command i tested to see if i could enter the folder, and not get the Access Denied error.

So it went like this

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX) - gave me read and execute files, but not delete subfolders (Could access the folder though) so i deleted all folders and started again with the code

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX, RD),

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX, RD, WD)

eventually i got to the code

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX,RD,WD,AD,DC)

Which gave me 100% what i am after

The other codes i was using in my original code were

X,RA,REA,WA,WEA,RC - one of these codes was causing the access denied error

Thank you all for your input and help


Figured out the issue myself

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial