ICACLS, Migrations, and You.

How to Use ICACLS

Using the Windows UI to manage permissions, whether at a broad or granular level, is slow and inefficient. I type ‘ICACLS’ into a command prompt dozens of times a day, while testing our product and coming up with new edge case scenarios, but also assisting real world customers who are facing challenging home drive permission structures that need to be transformed to mesh with a cloud filesystem. It is a lifesaving tool that comes installed absolutely free on any modern Windows machine. By taking the 15 minutes required to understand it, you will save yourself countless hours in the future. The commands below are capitalized per Windows conventions, but generally, I use all lowercase commands since Windows is generally case-insensitive.

Although Cloud FastPath enables and encourages our customers to make these changes on the fly using the Account and Permission mapping spreadsheet, real power users can bypass that process entirely by pre-treating their source file system.

If you’re familiar with common scripting languages that can run on Windows, like Python or Ruby, it is a simple enough syntax to perform complex permission tasks in very small scripts. A simple Ruby example to recursively make sure each user owns all of their data and confirm ownership hasn’t been corrupted somehow could look something like this:

#!/usr/bin/env ruby

# assuming our home drive folder names match our usernames, and we are in the parent

# directory of our user folders:

user_array = ["Bob", "Jane", "Janet", "Maria"]

user_array.each do |user|

`ICACLS #{user} /setowner #{user} /T`


Running through that loop once, it would translate to this on the command-line:

ICACLS H:\Bob /setowner Bob /T

The ‘/T’ is the recursive flag in this case. It will perform this operation on the folder H:\Bob, but also any subfolders or files beneath it in the hierarchy. You can see all of the options for ICACLS quickly (I do this daily) by typing:


And using the space bar to navigate downward, and hitting ‘Q’ to quit. Piping the output into ‘MORE’ works like a much watered down version of the GNU ‘less’. An easy way to remember what flags to put for almost any permission fixing operation is ‘TLC’, so something like this is very common for me:

ICACLS H:\Jane /grant Janet:F /T /L /C

The ‘/L’ and ‘/C’ flags are redundant in 99% of cases, but it will make sure I remember to apply these changes recursively. In the UI, most times those changes will propagate downward (as in this case, giving Janet@tervela.com Full permissions on all of Jane’s folders), but with ICACLS, you are only acting on that one object. See ‘ICACLS /?’ for more info on what those flags do. Remember, simply typing ICACLS followed by a folder path will show you the current permissions, both inherited and explicitly, so it is a good way to track the changes you are making.

If we want to give Bob Read access to Jane’s data, the `/grant` option is used again, however this time we change what letter is appended to the user namespace:

ICACLS H:\Jane /grant Bob:R /T /L /C

We could confirm Bob’s read access easily:


If you again view the manual for ICACLS, you can see a full list of what options are available to be appended to usernames. Generally, you will only be using a few simple ones, as stated in the first section.

Practice makes perfect, so I am going to give you a few commands you can use to both break and restore bad permissions using the Windows command-prompt. Even if you are totally new to permissions and the command line, it only takes a few minutes to learn 99% of what you’ll need to know on the job. Here are some useful examples to get started:

ICACLS PrivateFolder /deny Maria:f
ICACLS ParentFolder/Subfolder /inheritance:d

– DIR – list contents of the current directory. Another command I do almost daily is:


This will recursively list who owns what folders and files.

– CD – “change” directory. Used constantly, across all different shells. On Windows, ‘CD’ by itself will show your current directory.

CD C:\


CD \

Will bring you to the root of C:\ explicitly or the root of whatever volume you are currently in. For reasons that you can Google, if I want to move to a different volume (like from my C: drive to H: drive), I would do something like this (NET USE shows you mounted volumes among other things):

C:\Users\Ian net use

New connections will be remembered.

Status       Local     Remote                    Network


K:        \\tervela\engineering\cat_photos

The command completed successfully.

C:\Users\Ian K:


And now I’m in the K: Drive.

– TAKEOWN – Take ownership of something, generally ran from an elevated command-prompt.

TAKEOWN /F "Frank's Folder" /R

This will recursively (the ‘/R’) take ownership of whatever comes after the ‘/F’, in this case a folder called ‘Frank’s Folder’. I wrapped the string in double quotes because it has a space and a special char. If you use the TAB button after typing the first few chars of that name, Windows will autocomplete the name and wrap it for you.

– MKDIR – make a directory either in the current directory or a specific path

C:\Users\Ian MKDIR Hello

C:\Users\Ian MKDIR C:\Users\Ian\Goodbye

– NET USER/LOCAL GROUP – To add test users and groups quickly, use the NET USER and NET LOCALGROUP commands:

NET USER Ian /add *
NET LOCALGROUP EngineeringTeam /add

The * is appended to NET USER so you can enter a new password in secure text. See ‘NET USER /?’ for more script-friendly flags. As a challenge, setup an Active Directory and see how you can manage domain user and group permissions using those same tools.

If you’re able to understand the how and why of these commands, and use them successfully, you will increase your productivity significantly, as well as your understanding of NTFS permissions. I would recommend not only reading but also breaking and enabling inheritance on folders, then generating Cloud FastPath Account and Permission mapping spreadsheets to see how these various Windows configurations will be automatically mapped to whichever cloud platform you are pointed at.