How to Remove Inherited Permissions and Set Explicit Ones in Batch Script

In Windows NTFS, files and folders automatically inherit permissions from their parent directories by default. This ensures consistent security policies across a directory tree. However, there are times, such as when creating a private user folder, a secure drop box, or an application data directory, when you need to break this inheritance. Breaking inheritance allows you to remove existing parent permissions and enforce strict, explicit access rules.

In this guide, we will explore how to use the icacls command in a Batch script to disable inheritance, handle previously inherited rules safely, and apply new explicit permissions.

Understanding Inheritance in ICACLS

The icacls command uses the /inheritance switch to control inheritance behavior:

/inheritance:e - Enables inheritance (the default state for new folders).
/inheritance:d - Disables inheritance and copies (converts) inherited permissions into explicit ones.
/inheritance:r - Removes all inherited permissions completely, leaving only explicit ones.

Administrator Privileges Required

All scripts in this guide require an elevated Command Prompt (Run as Administrator). Modifying NTFS inheritance and permissions without administrative rights will fail silently or produce access-denied errors.

Method 1: Break Inheritance and Copy Existing Permissions (Convert)

When you disable inheritance, you can choose to copy the currently inherited permissions and turn them into "explicit" permissions. This is useful if you want to keep the current level of access but prevent future changes to the parent folder from affecting this specific folder.

@echo off
setlocal enabledelayedexpansion

set "TargetFolder=C:\SecureData"

:: Check admin rights
net session >nul 2>&1
if !errorlevel! neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

:: Create folder if it doesn't exist
if not exist "%TargetFolder%" (
    mkdir "%TargetFolder%" >nul 2>&1
    if !errorlevel! neq 0 (
        echo [ERROR] Failed to create folder: %TargetFolder%
        pause
        exit /b 1
    )
)

echo ============================================
echo Target Folder: %TargetFolder%
echo ============================================
echo.

echo [PROCESS] Breaking inheritance...
echo (Converting inherited rules to explicit permissions^)
echo.

icacls "%TargetFolder%" /inheritance:d >nul 2>&1

if !errorlevel! equ 0 (
    echo [SUCCESS] Inheritance disabled.
    echo          Existing permissions converted to explicit.
) else (
    echo [ERROR] Failed to modify inheritance.
)

echo.
pause
endlocal

When to Use /inheritance:d

Use /inheritance:d (disable and copy) when you want to freeze the current permissions in place. The folder retains all the access it currently has, but future permission changes to the parent folder no longer cascade down. This is the safest way to break inheritance because no access is lost.

Method 2: Break Inheritance and Remove All Inherited Permissions (Blank Slate)

If you are creating a highly secure folder (e.g., a user's private home directory or a restricted HR folder), you usually want to completely remove inherited permissions.

@echo off
setlocal

set "TargetFolder=C:\SuperSecret"
set "AdminUser=Administrators"

if not exist "%TargetFolder%" mkdir "%TargetFolder%"

echo Creating a secure blank slate for "%TargetFolder%"...

:: /inheritance:r removes all inherited ACEs.
:: We simultaneously grant the Admin group full control so we don't lock ourselves out.
icacls "%TargetFolder%" /inheritance:r /grant "%AdminUser%:(OI)(CI)F"

if %errorlevel% EQU 0 (
    echo [SUCCESS] Inherited permissions removed. Granted explicit Full Control to %AdminUser%.
) else (
    echo [ERROR] Operation failed. Ensure you run as Administrator.
)

:: Verify the final permissions
echo.
echo Current permissions:
icacls "%TargetFolder%"

pause

Lockout Risk with /inheritance:r

Using /inheritance:r removes all inherited rules. If there are no explicit rules already in place and you do not grant any in the same command, the folder will have zero permissions, locking out even the Administrator. Always grant an explicit permission in the same icacls command that removes inheritance.

Inheritance Flags: (OI) and (CI)

(OI) Object Inherit: The permission applies to files within the folder.
(CI) Container Inherit: The permission applies to subfolders within the folder.

Using both (OI)(CI) ensures that the explicit rule cascades down to all files and subfolders inside the target directory. Omitting these flags grants access only to the folder itself, not its contents.

Method 3: End-to-End Explicit Permission Setup

The most common automation scenario involves creating a folder, stripping away all parent inheritance, explicitly assigning full control to administrators and the system, and granting standard "Modify" access to a specific user.

@echo off
setlocal enabledelayedexpansion

set "ProfileDir=C:\UsersProfiles\JohnDoe"
set "OwnerUser=JohnDoe"

if not exist "%ProfileDir%" mkdir "%ProfileDir%"

echo Configuring secure profile directory for !OwnerUser!...

:: 1. Disable inheritance and remove inherited rules,
::    but explicitly grant SYSTEM and Administrators Full Control right away.
icacls "%ProfileDir%" /inheritance:r /grant "SYSTEM:(OI)(CI)F" /grant "Administrators:(OI)(CI)F" >nul

if !errorlevel! NEQ 0 (
    echo [ERROR] Failed to set base permissions. Ensure you run as Administrator.
    pause
    exit /b 1
)

:: 2. Grant the specific user explicit Modify (M) access
icacls "%ProfileDir%" /grant "!OwnerUser!:(OI)(CI)M" >nul

if !errorlevel! NEQ 0 (
    echo [ERROR] Failed to grant permissions to !OwnerUser!.
    pause
    exit /b 1
)

echo [SUCCESS] Directory secured. Only !OwnerUser!, Admins, and SYSTEM have access.

:: 3. Verify the final permissions
echo.
echo Final permissions:
icacls "%ProfileDir%"

pause

Permission Levels Reference

Code	Permission	Typical Use
`F`	Full Control	Administrators, SYSTEM
`M`	Modify	Standard user access (read, write, delete)
`RX`	Read & Execute	Application directories, shared resources
`R`	Read Only	Audit folders, reference documents
`W`	Write Only	Drop boxes, log directories

Method 4: Restoring Inheritance

If you make a mistake and need to revert a folder so that it inherits permissions from its parent again, you can use the /inheritance:e flag.

@echo off
setlocal

set "TargetFolder=C:\SecureData"

if not exist "%TargetFolder%" (
    echo [ERROR] Folder not found: %TargetFolder%
    pause
    exit /b 1
)

echo Restoring inheritance for "%TargetFolder%"...

:: /inheritance:e enables inheritance
icacls "%TargetFolder%" /inheritance:e

if %errorlevel% EQU 0 (
    echo [SUCCESS] Inheritance restored.
    echo.
    echo Current permissions:
    icacls "%TargetFolder%"
) else (
    echo [ERROR] Failed to restore inheritance.
)

pause

Common Mistakes

Locking Yourself Out

:: WRONG - Removes all inherited rules but sets no explicit ones
icacls "C:\MyFolder" /inheritance:r

Running this command alone wipes all access control entries from the folder (unless there were existing explicit rules). Once executed, the folder becomes completely inaccessible, even to administrators, until someone takes ownership via takeown /F "C:\MyFolder" /A or the advanced security GUI.

Always grant an explicit permission in the exact same command or ensure an explicit permission exists beforehand.

Forgetting `(OI)` and `(CI)` Flags

:: INCOMPLETE - Grants access only to the folder itself, not its contents
icacls "C:\MyFolder" /inheritance:r /grant "JohnDoe:F"

If you omit (OI)(CI), JohnDoe will have access to C:\MyFolder, but any new files or subfolders created inside will not automatically inherit JohnDoe's permissions. Always use (OI)(CI) when setting explicit permissions on a directory root.

Best Practices

Always use /inheritance:r /grant ... together: Protect against accidental lockouts by guaranteeing at least one administrative account retains Full Control (F).
Run as Administrator: Modifying inheritance and permissions requires administrative rights. Check for elevation at the start of your script if needed.
Always include SYSTEM: When applying explicit rules, ensure the SYSTEM account is explicitly granted Full Control alongside Administrators. Many Windows services and scheduled tasks run as SYSTEM and will fail if access is denied.
Test on dummy folders first: NTFS permissions can be disastrous if misapplied recursively on important directories like C:\Windows or C:\Users.
Verify after applying: Always run icacls "%TargetFolder%" after modifying permissions to confirm the final state matches your expectations.

Conclusion

Controlling permission inheritance is fundamental to securing files and folders on a Windows machine. The icacls utility provides a powerful and precise way to disable inheritance (/inheritance:d and /inheritance:r) from within a Batch script. By carefully combining these flags with explicit grants (/grant User:(OI)(CI)F), administrators can automate the creation of secure isolation boundaries, ensuring user data remains protected and inaccessible to unauthorized accounts.

Understanding Inheritance in ICACLS​

Method 1: Break Inheritance and Copy Existing Permissions (Convert)​

Method 2: Break Inheritance and Remove All Inherited Permissions (Blank Slate)​

Method 3: End-to-End Explicit Permission Setup​

Method 4: Restoring Inheritance​

Common Mistakes​

Locking Yourself Out​

Forgetting (OI) and (CI) Flags​

Best Practices​

Conclusion​

Table of Contents