Skip to main content

How to Enable or Disable Permission Inheritance on a Folder in Batch Script

When structuring a file server or managing team folders, the root directory usually sets the standard permissions (e.g., "All Employees can Read"). By default, every subfolder and file created inside inherits these rules. This is called Permission Inheritance.

However, you will inevitably need to create exceptions, like a "Management Docs" folder inside a shared drive where only managers have access. To do this, you must break (disable) inheritance. Conversely, if a folder's custom permissions are no longer needed, you might want to re-enable inheritance to synchronize it returning to its parent's rules.

In this guide, we will use the icacls command in Batch Scripting to manage NTFS permission inheritance dynamically.

Understanding the icacls /inheritance Switch

The Windows icacls utility offers a specific switch (/inheritance:e|d|r) precisely for controlling inheritance.

  • /inheritance:e - Enables inheritance from the parent folder.
  • /inheritance:d - Disables inheritance and copies the current inherited permissions into explicit permissions. (Think of this as "Copying" the parent's rules to modify them later).
  • /inheritance:r - Removes (disables) inheritance and instantly deletes all inherited permissions, leaving only explicitly defined ones. (Think of this as "Wiping" the slate clean).

Disabling Inheritance (Breaking the Chain)

When creating a secure folder, you usually want to prevent broad access rules from trickling down. The most secure approach is using /inheritance:r.

Scenario 1: Creating a Secure Private Folder

Imagine a shared drive D:\CompanyShare. Everyone has read access. We want to create a D:\CompanyShare\HR_Confidential folder strictly for the HR Group.

If we simply grant HR access, "All Employees" will still be able to read the files because of inheritance. We must remove inherited permissions first.

@echo off
setlocal

set "SECURE_FOLDER=D:\CompanyShare\HR_Confidential"
set "HR_GROUP=DOMAIN\HR_Team"

echo Creating secure folder: %SECURE_FOLDER%
mkdir "%SECURE_FOLDER%" 2>nul

if not exist "%SECURE_FOLDER%\" (
    echo [ERROR] Failed to create or find directory: %SECURE_FOLDER%
    pause
    exit /b 1
)

echo Breaking inheritance...
REM /inheritance:r removes all inherited permissions immediately.
REM Without explicitly granting new ones, no one (except the owner/SYSTEM) will have access!
icacls "%SECURE_FOLDER%" /inheritance:r

echo Granting explicit rights to %HR_GROUP% and Administrators...
REM We use (OI)(CI) to ensure all newly created files inside this folder INHERIT these new explicit rules.
REM (OI) = Object Inherit (files)
REM (CI) = Container Inherit (subfolders)
REM F = Full Control
icacls "%SECURE_FOLDER%" /grant "%HR_GROUP%:(OI)(CI)F"
icacls "%SECURE_FOLDER%" /grant "Administrators:(OI)(CI)F"

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Folder secured.
) else (
    echo [ERROR] Failed to set permissions. Verify group name and admin rights.
)

endlocal
pause

Scenario 2: Copying Parent Rights (The Softer Break)

Sometimes you want to keep all the existing permissions but just remove one specific group (like "Interns") that is inheriting access. In this case, use /inheritance:d. This copies the parent rights so you can selectively deny or remove later.

@echo off
setlocal

set "TARGET_FOLDER=D:\CompanyShare\ProjectX"

if not exist "%TARGET_FOLDER%\" (
    echo [ERROR] Directory not found: %TARGET_FOLDER%
    pause
    exit /b 1
)

echo Disabling inheritance and converting inherited rules to explicit rules...
icacls "%TARGET_FOLDER%" /inheritance:d

echo Removing the Interns group from having access...
icacls "%TARGET_FOLDER%" /remove "DOMAIN\Interns"

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Interns group removed from %TARGET_FOLDER%.
) else (
    echo [WARNING] Remove command completed with errors. Verify the group name exists.
)

endlocal
pause

Enabling Inheritance (Restoring Order)

If D:\CompanyShare\HR_Confidential is no longer confidential, you might want it to behave like a normal folder again, allowing "All Employees" to read it by inheriting the root drive's rules.

To re-enable inheritance, we use /inheritance:e.

Restoring Default Parent Rules

@echo off
setlocal

set "TARGET_FOLDER=D:\CompanyShare\OldProject"

if not exist "%TARGET_FOLDER%\" (
    echo [ERROR] Directory not found: %TARGET_FOLDER%
    pause
    exit /b 1
)

echo Re-enabling inheritance for %TARGET_FOLDER%...

REM /inheritance:e turns inheritance back on.
icacls "%TARGET_FOLDER%" /inheritance:e

REM Important: If the folder had complex explicit permissions set *while* inheritance was disabled,
REM those explicit permissions STILL EXIST alongside the newly inherited ones.
REM To truly "reset" it to act exactly like its parent, we must remove all explicit permissions.
REM We use the /reset switch for that!

echo Wiping all explicit rules to ensure it strictly follows the parent...
icacls "%TARGET_FOLDER%" /reset /t /c /q

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Restored inheritance and cleaned old permissions.
) else (
    echo [WARNING] Errors restoring some permissions. Check for 'Access Denied' on specific files.
)

endlocal
pause
Why Use /reset with /inheritance:e?

If you only run /inheritance:e, any explicitly granted permissions (like "HR_Team=Full Control") stay active. The folder simply adds the inherited permissions (like "All Employees=Read") on top. Using /reset aggressively scrubs the explicit entries, leaving only the freshly enabled inherited rules.

Common Errors

"Access is Denied" (Error 5)

If you are trying to enable or disable inheritance and receive an "Access is Denied" error, one of two things is happening:

  1. You are not an Administrator: Running icacls to modify ACLs requires administrative rights. Ensure you run your batch script "As Administrator."
  2. You do not own the folder: If previous administrators forcefully broke inheritance and removed your specific admin account from the explicit permissions list, you cannot modify the folder's inheritance.

The Fix: You must forcefully take ownership of the folder using takeown before icacls will allow you to change inheritance.

REM Forcefully become the owner (Administrators group)
takeown /F "D:\LockedFolder" /A /R /D Y >nul 2>nul
REM Now you can disable inheritance
icacls "D:\LockedFolder" /inheritance:r

Conclusion

Understanding icacls /inheritance:e (enable), :d (disable and copy), and :r (disable and remove) is essential for any system administrator writing automation scripts. By combining these switches with /grant or /reset, you can fluidly create highly secure isolated directories or rapidly normalize fractured permission structures across vast file servers.

Table of Contents