Apply these permissions to object using icacls

I had this question after viewing 'Access denied' when permission applied via ICACLS; no problem when applied via GUI.

Does anyone know what the icacls command would be to do this? tick the "Only Apply these permissions button?

Cant find anything in google on how to do it.
matt carterAsked:
Who is Participating?
matt carterAuthor Commented:

In the end...and as i had said and always thought, something was wrong with my code i was using. so i went back to the absolute basics.

I deleted all test folders and started again.

Then using icacls E:\Files\Temp\*.* /c grant "Users":(OI)(CI) i then done one more command and tested. if it was on the right path but not 100%. I deleted all folders and started again, this time adding 1 additional command. Tested, and same process as before.

Each command i tested to see if i could enter the folder, and not get the Access Denied error.

So it went like this

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX) - gave me read and execute files, but not delete subfolders (Could access the folder though) so i deleted all folders and started again with the code

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX, RD),

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX, RD, WD)

eventually i got to the code

icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(RX,RD,WD,AD,DC)

Which gave me 100% what i am after

The other codes i was using in my original code were

X,RA,REA,WA,WEA,RC - one of these codes was causing the access denied error

Thank you all for your input and help
Take a test folder on your desktop: c:\users\someuser\desktop\test
The command
icacls "C:\Users\someuser\Desktop\test" /grant someotheruser:m

Open in new window

will grant modify permissions to this folder for "someotheruser" and apply it to "that folder only".

So you see, by default, icacls is already doing what you want. If you would like inheritance, you would have chosen
icacls "C:\Users\someuser\Desktop\test" /grant someotheruser:(OI)(CI)m

Open in new window

matt carterAuthor Commented:
Thank you for the reply, however when i do this, my someotheruser has access denied, until i manually tick the "Only apply these permissions to object" button. The same as the previous question i linked to.

That person could only get around the access denied once they ticked this button.

my issue is i have a large amount of folders i need to apply this setting, so do not want to do this manually.
On File server, i have used icacls E:\Files\temp\*.* /c /grant "MYDomain\Domain Users":(OI)(CI)(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC)
Then, when any domain users try to access, they get access denied, i tick that button, they have access.
I manually do these settings using GUI, they have access (without ticking that box).
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Be so kind to follow my suggestion and test it right like I did with a folder on your desktop. You will see that that command will apply the permission entry only to that folder and not to subfolders. Try it, so that we are on the same page. Then please upload screenshots that demonstrate what you need to do with this example folder on the desktop so that it works to your liking.
matt carterAuthor Commented:
Yes, that process worked when using a desktop folder, and the code you provided, however this is not what i am wanting to achieve.
Modify access gives the user the right to delete the folder. this is the exact thing i want to prevent.

I need the user to not be able to delete / move C:\Users\someuser\Desktop\test - however have delete access to all sub folders.

I have uploaded 2 screen shots.
1st is the normal settings, where users have normal modify access (current settings), they can move / delete parent folder
2nd is the settings i need it to be, however the Users get an access denied if i use the code
icacls E:\Files\temp\*.* /c /grant "Users":(OI)(CI)(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC)
If i manually enter in the settings using the GUI so they match "exactly" the same as the 2nd screenshot, the user has access, cannot move / delete folder, however can on sub folders. Which is how i want it to happen.
So something in my code is wrong / missing, something, i dont know what.

I have 1000+ folders to do this too, so manually is not an option.
matt carterAuthor Commented:

Let us try something different.



what code would be used to grant user access to folder1, but not be able to delete it / move it.

and also grant access to delete / move subfolder1
matt carterAuthor Commented:
Figured out the issue myself
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.