How to Grant Full Control to a Specific User on a Folder in Batch Script

Managing folder permissions via Batch script is an essential skill for system administrators. When provisioning new user profiles, creating temporary shared workspaces, or automating application deployments, you often need to grant specific users or groups "Full Control" over a directory.

In this guide, we will learn how to use the built-in icacls command to seamlessly grant Full Control permissions, ensuring those rights inherit correctly to all subfolders and files.

Understanding Full Control and Inheritance

"Full Control" is the highest level of NTFS permission. A user with Full Control can read, write, modify, execute, delete, take ownership, and even change the permissions of the file/folder for other users.

When applying permissions to a folder, you usually want those permissions to "trickle down" (inherit) so the user also has Full Control over any files created inside that folder later. We achieve this using inheritance flags in icacls.

(OI) - Object Inherit: The permission applies to files within the folder.
(CI) - Container Inherit: The permission applies to subfolders within the folder.
F - Full Control: The specific permission level.

The `icacls /grant` Command

The core command for granting permissions is icacls followed by the target path and the /grant switch.

Syntax

icacls "C:\Path\To\Folder" /grant "Domain\Username:(OI)(CI)F"

"Domain\Username": The user or group you are granting access to. You can use local computer names or BUILTIN\Administrators.
:(OI)(CI)F: The combination of inheritance flags and the Full Control right. Without (OI)(CI), the user only gets Full Control of the top-level folder itself, but not necessarily the files inside it.

Example 1: Granting Access to a New User Folder

A very common scenario is a script that creates a home directory for a new employee and gives them Full Control of it.

@echo off
setlocal

set "NEW_USER=JSmith"
set "USER_DIR=D:\Users\%NEW_USER%"

echo Creating folder for %NEW_USER%...
mkdir "%USER_DIR%" 2>nul

if not exist "%USER_DIR%\" (
    echo [ERROR] Failed to create directory: %USER_DIR%
    echo Verify the parent path exists and you have permission to create folders.
    pause
    exit /b 1
)

echo Granting Full Control to %NEW_USER% on %USER_DIR%...

REM Apply the explicit permission.
REM The /T switch recursively applies this to existing files if the folder wasn't empty.
icacls "%USER_DIR%" /grant "%NEW_USER%:(OI)(CI)F" /T /C /Q

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Full Control granted to %NEW_USER%.
) else (
    echo [ERROR] Failed to set permissions. Ensure you run this script as Administrator
    echo and that the user account "%NEW_USER%" exists.
)

endlocal
pause

Run As Administrator

Changing NTFS permissions requires elevated privileges. Even if you are an Administrator, you must run your Batch script "As Administrator" (handling UAC prompts) for icacls to succeed. Otherwise, you will encounter immediate "Access is Denied" errors.

Handling Existing Explicit Permissions

When you use /grant, you are adding an explicit permission to the list. You are not removing existing permissions.

If the folder inherited "Read" access for the JSmith user from a parent directory, and you explicitly /grant Full Control, the user's "Effective Access" becomes Full Control (the explicit rule overrides the inherited restriction).

The `:r` (Replace) Option

If JSmith already had an explicit "Modify" permission set on the folder, and you want to upgrade them to Full Control, you might end up with two messy entries for the same user.

To cleanly overwrite any existing explicit permissions for that specific user, append :r to the /grant switch.

REM /grant:r replaces explicit permissions for JSmith instead of appending to them.
icacls "D:\Workspace" /grant:r "JSmith:(OI)(CI)F"

This is considered best practice when writing robust automation scripts to ensure the ACLs (Access Control Lists) don't become bloated with redundant entries.

Granting Access via Security Groups

In enterprise environments, it is almost always better to grant permissions to Active Directory Security Groups rather than individual users. Your script syntax remains identical.

@echo off
setlocal

set "PROJECT_DIR=S:\Projects\Alpha"
set "MGMT_GROUP=DOMAIN\Management_Team"

if not exist "%PROJECT_DIR%\" (
    echo [ERROR] Directory not found: %PROJECT_DIR%
    pause
    exit /b 1
)

echo Granting Management Group Full Control to Alpha Project...

icacls "%PROJECT_DIR%" /grant "%MGMT_GROUP%:(OI)(CI)F" /T /C /Q

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Full Control granted to %MGMT_GROUP%.
) else (
    echo [ERROR] Failed to set permissions. Verify group name and admin rights.
)

endlocal
pause

Troubleshooting "Access Denied" When Setting Access

If your script fails with an Access Denied error, verify the following:

Elevation: Did you definitely right-click "Run as administrator"?
Ownership: If you are an Administrator but still get denied, a previous user might have forcefully taken ownership and removed the Administrators group from the ACL.
- Fix: Your script must use the takeown command first.
```
takeown /F "D:\LockedFolder" /A /R /D Y >nul 2>nul
icacls "D:\LockedFolder" /grant "JSmith:(OI)(CI)F"
```

Summary

Granting Full Control via Batch script is incredibly fast and reliable using icacls. By memorizing the (OI)(CI)F inheritance string and utilizing the /grant:r replace function, you can ensure your scripts cleanly apply absolute access rights to any directory structure. Always remember to run permission-modifying scripts with administrative elevation.

Understanding Full Control and Inheritance​

The icacls /grant Command​

Syntax​

Example 1: Granting Access to a New User Folder​

Handling Existing Explicit Permissions​

The :r (Replace) Option​

Granting Access via Security Groups​

Troubleshooting "Access Denied" When Setting Access​

Summary​

Table of Contents