# Understanding ICACLS permissions

From the Microsoft Article on ICACLS

The entries are users and groups specific to that file (DOMAIN\USER or GROUP), the permissions listed are as follows:

SIDs may be in either numerical or friendly name form. If you use a numerical form, affix the wildcard character \* to the beginning of the SID.

icacls preserves the canonical order of ACE entries as:

&#x9;• Explicit denials

&#x9;• Explicit grants

&#x9;• Inherited denials

&#x9;• Inherited grants

Perm is a permission mask that can be specified in one of the following forms:

&#x9;1\. A sequence of simple rights:

&#x9;	○ F (full access)

&#x9;	○ M (modify access)

&#x9;	○ RX (read and execute access)

&#x9;	○ R (read-only access)

&#x9;	○ W (write-only access)

&#x9;2\. A comma-separated list in parenthesis of specific rights:

&#x9;	○ D (delete)

&#x9;	○ RC (read control)

&#x9;	○ WDAC (write DAC)

&#x9;	○ WO (write owner)

&#x9;	○ S (synchronize)

&#x9;	○ AS (access system security)

&#x9;	○ MA (maximum allowed)

&#x9;	○ GR (generic read)

&#x9;	○ GW (generic write)

&#x9;	○ GE (generic execute)

&#x9;	○ GA (generic all)

&#x9;	○ RD (read data/list directory)

&#x9;	○ WD (write data/add file)

&#x9;	○ AD (append data/add subdirectory)

&#x9;	○ REA (read extended attributes)

&#x9;	○ WEA (write extended attributes)

&#x9;	○ X (execute/traverse)

&#x9;	○ DC (delete child)

&#x9;	○ RA (read attributes)

&#x9;	○ WA (write attributes)

Inheritance rights may precede either Perm form, and they are applied only to directories:

&#x9;• (OI): object inherit

&#x9;• (CI): container inherit

&#x9;• (IO): inherit only

&#x9;• (NP): do not propagate inherit

&#x9;• (I): permission inherited from parent container

For files, the permission masks are more or less self-explanatory: R means you can read the file, Xallows it to be executed (as a program), and so on.

For other kinds of objects, you will have to browse MSDN:

&#x9;• Standard Access Rights

&#x9;• ACE Inheritance Rules

&#x9;• Registry

&#x9;• Service

&#x9;• ...

Inheritance rights in English:

&#x9;• (I) "Inherited": This ACE was inherited from the parent container.

&#x9;• (OI) "Object inherit": This ACE will be inherited by objects placed in this container.

&#x9;• (CI) "Container inherit": This ACE will be inherited by subcontainers placed in this container.

&#x9;• (IO) "Inherit only": This ACE will be inherited (see OI and CI), but does not apply to this object itself.

&#x9;• (NP) "Do not propagate": This ACE will be inherited by objects and subcontainers one level deep – it will not apply to things inside subcontainers.

For the file system, "container" means a folder and "object" means a file, but remember that ACLs can be set on many other kinds of objects, not all of which have a concept of "containers".