icacls name /save aclfile [/T] [/C] [/L] [/Q]
将与名称匹配的文件和文件夹的dacl存储到aclfile中,以便稍后与/restore一起使用。
注意,没有保存SACLs、所有者或完整性标签。
icacls directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] [/L] [/Q]
将存储的dacl应用到目录中的文件。
icacls name /setowner user [/T] [/C] [/L] [/Q]
更改所有匹配名称的所有者。这一选择并不强制改变所有权;为此可以使用takeow .exe实用程序。
icacls name /findsid Sid [/T] [/C] [/L] [/Q]
查找包含显式提及Sid的ACL的所有匹配名称。
icacls name /verify [/T] [/C] [/L] [/Q]
查找ACL不是标准形式或其长度与ACE计数不一致的所有文件。
icacls name /reset [/T] [/C] [/L] [/Q]
将所有匹配文件的acl替换为默认继承的acl。
icacls name [/grant[:r] Sid:perm[...]] [/deny Sid:perm [...]] [/remove[:g|:d]] [Sid[...]]
[/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy[...]]
|
/grant[:r] Sid:perm
|
授予指定的用户访问权限。使用:r,权限替换任何先前授予的显式权限。
如果不使用:r,则权限将添加到任何先前授予的显式权限中。
|
|
/deny Sid:perm
|
明确拒绝指定的用户访问权限。
为声明的权限添加了明确拒绝ACE,并删除了任何明确授权中的相同权限。
|
|
/remove[:[g|d]] Sid
|
删除ACL中所有出现的Sid。使用:g,它将删除所有出现的对该Sid的授予权限。
使用:d,它将删除所有对该Sid权利被拒绝的情况。
|
|
/setintegritylevel[(CI)(OI)]Level
|
明确将完整性ACE添加到所有匹配文件。水平是被指定为中的一个: L[ow] M[edium] H[igh]
完整性ACE的继承选项可以在该级别之前,并且仅应用于目录。
|
|
/inheritance:e|d|r
|
e-启用继承。
d-禁用继承并复制ACE。
r-删除所有继承的ACE。
|
|
/T
|
指示对名称中指定的目录下的所有匹配文件/目录执行此操作。
|
|
/C
|
指示此操作在所有文件错误上继续。错误消息仍然显示。
|
|
/L
|
表示对于遇到的任何符号链接,此操作将在符号链接本身而不是其目标上执行。
|
|
/Q
|
指示icacls应该禁止显示成功消息。
|
ICACLS保留ACE条目的规范顺序:
权限掩码perm可以指定为一系列简单权限:
-
N:无法访问。
-
F:完全访问权限。
-
M: 修改访问权限。
-
RX: 读取并执行访问。
-
R: 只读访问。
-
W:仅写访问。
-
D: 删除访问权限。
或者,可以将perm指定为用逗号分隔的特定权限列表,并用括号括起来:
-
DE:删除。
-
RC: 读取控制。
-
WDAC: 写入DAC。
-
WO: 写所有者。
-
S: 同步。
-
AS: 访问系统安全性。
-
MA: 允许的最大值。
-
GR: 通用读取。
-
GW: 通用写入。
-
GE: 通用执行。
-
GA: 全部通用。
-
RD: 读取数据/列表目录。
-
WD: 写入数据/添加文件。
-
AD: 追加数据/添加子目录。
-
REA: 读取扩展属性。
-
WEA: 编写扩展属性。
-
X:执行/遍历。
-
DC:删除子级。
-
RA:读取属性。
-
WA:写入属性。
继承权可以以任何一种形式出现,并且仅适用于目录:
-
(OI):对象继承。
-
(CI):容器继承。
-
(IO):仅继承。
-
(NP):不传播继承。
-
(I):权限是从父容器继承的。
icacls name /save aclfile [/T] [/C] [/L] [/Q]
Stores the DACLs for the files and folders that match name into aclfile for later use with /restore. Note that SACLs, owner, or integrity labels are not saved.
icacls directory [/substitute SidOld SidNew [...]] /restore aclfile [/C]
[/L] [/Q]
Applies the stored DACLs to files in directory.
icacls name /setowner user [/T] [/C] [/L] [/Q]
Changes the owner of all matching names. This option does not force a change of ownership; use the takeown.exe utility for that purpose.
icacls name /findsid Sid [/T] [/C] [/L] [/Q]
Finds all matching names that contain an ACL explicitly mentioning Sid.
icacls name /verify [/T] [/C] [/L] [/Q]
Finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts.
icacls name /reset [/T] [/C] [/L] [/Q]
Replaces ACLs with default inherited ACLs for all matching files.
icacls name [/grant[:r] Sid:perm[...]] [/deny Sid:perm [...]] [/remove[:g|:d]] [Sid[...]] [/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy[...]]
|
/grant[:r] Sid:perm
|
Grants the specified user access rights. With :r, the permissions replace any previously granted explicit permissions. Without :r, the permissions are added to any previously granted explicit permissions.
|
|
/deny Sid:perm
|
Explicitly denies the specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.
|
|
/remove[:[g|d]] Sid
|
Removes all occurrences of Sid in the ACL. With :g, it removes all occurrences of granted rights to that Sid. With :d, it removes all occurrences of denied rights to that Sid.
|
|
/setintegritylevel [(CI)(OI)]Level
|
Explicitly adds an integrity ACE to all matching files. The level is to be specified as one of: L[ow] M[edium] H[igh]
Inheritance options for the integrity ACE may precede the level, and are applied only to directories.
|
|
/inheritance:e|d|r
|
e - Enables inheritance. d - Disables inheritance and copy the ACEs. r - Removes all inherited ACEs.
|
|
/T
|
Indicates that this operation is performed on all matching files/directories below the directories specified in the name.
|
|
/C
|
Indicates that this operation continues on all file errors. Error messages are still be shown.
|
|
/L
|
Indicates that for any symbolic links encountered, this operation is to be performed on the symbolic link itself, rather than its target.
|
|
/Q
|
Indicates that icacls should suppress success messages.
|
ICACLS preserves the canonical ordering of ACE entries:
-
Explicit denials.
-
Explicit grants.
-
Inherited denials.
-
Inherited grants.
The permission mask perm can be specified as a sequence of simple rights:
-
N: no access.
-
F: full access.
-
M: modify access.
-
RX: read and execute access.
-
R: read-only access.
-
W: write-only access.
-
D: delete access.
Alternatively, perm may be specified as a comma-separated list of specific rights, enclosed in parentheses:
-
DE: delete.
-
RC: read control.
-
WDAC: write DAC.
-
WO: write owner.
-
S: synchronize.
-
AS: access system security.
-
MA: maximum allowed.
-
GR: generic read.
-
GW: generic write.
-
GE: generic execute.
-
GA: generic all.
-
RD: read data/list directory.
-
WD: write data/add file.
-
AD: append data/add subdirectory.
-
REA: read extended attributes.
-
WEA: write extended attributes.
-
X: execute/traverse.
-
DC: delete child.
-
RA: read attributes.
-
WA: write attributes.
Inheritance rights may precede either form, and are applied only to directories:
-
(OI): object inherit.
-
(CI): container inherit.
-
(IO): inherit only.
-
(NP): don't propagate inherit.
-
(I): permission inherited from parent container.