How to Set File Permissions with ICACLS in Batch Script

Properly securing files and folders is a critical part of system administration and automated deployments. You often need to ensure that a script can access a file it needs to modify, or conversely, lock down a configuration file to prevent unauthorized changes. The standard, modern command-line tool for managing these permissions (Access Control Lists or ACLs) in Windows is ICACLS.

This guide will teach you how to use ICACLS to grant, deny, and remove permissions for users and groups. You will learn the most important permission flags and how to apply them recursively to entire directory trees, giving you granular control over your file system security from a batch script.

The Core Command: `ICACLS`

ICACLS is a powerful, built-in utility for displaying and modifying the discretionary access control lists (DACLs) on files and folders. It is the successor to the older CACLS command and offers much more control.

Crucially, modifying permissions almost always requires elevated privileges. You must run your batch script from a command prompt that has been "Run as Administrator."

The basic syntax pattern is: ICACLS "path\to\file" /action UserOrGroup:Permissions

Granting Permissions (`/grant`)

The most common action is /grant, which adds permissions for a user or group. If the user already has permissions, they will be modified.

Let's grant a user named "AppSvc" read and execute permissions on an application's executable.

@ECHO OFF
REM This script must be run as an Administrator.

ECHO Granting Read & Execute permissions to the AppSvc user...
ICACLS "C:\Program Files\MyCoolApp\run.exe" /grant AppSvc:RX

Output: ICACLS confirms the action and reports the number of files successfully processed.

processed file: C:\Program Files\MyCoolApp\run.exe
Successfully processed 1 files; Failed processing 0 files

Denying Permissions (`/deny`)

A deny rule is an explicit permission that overrides any grant permissions. It is a powerful way to restrict access, even if a user is part of a group that has been granted access. Because of this, deny rules should be used carefully and sparingly.

For exampple, let's explicitly deny the "Guest" account any ability to write to a specific configuration file.

@ECHO OFF
REM Run as Administrator.

ECHO Denying write access to the Guest account...
ICACLS "settings.ini" /deny Guest:W

note

This will prevent the Guest account from writing to the file, even if they are part of a group (like "Users") that has write permission.

Removing Permissions (`/remove`) and Resetting ACLs (`/reset`)

Sometimes you need to clean up permissions. /remove can delete a user's specific grant or deny rules. For a more drastic cleanup, /reset will completely replace the ACL with the default inherited permissions.

The following script is for removing a user:

ECHO Removing all specific permissions for the user 'TempUser'...
ICACLS "sensitive_data.csv" /remove TempUser

The following script is for resetting a file's permissions

ECHO Resetting all permissions on the file to default...
ICACLS "sensitive_data.csv" /reset

Key `ICACLS` Permissions and Parameters Explained

Common Actions

/grant <User>:<Perms>: Adds or modifies permissions.
/deny <User>:<Perms>: Explicitly denies permissions.
/remove <User>: Removes all permissions for a user.
/reset: Replaces the ACL with default inherited permissions.

Common Permissions

F: Full control
M: Modify access (read, write, execute, delete)
RX: Read and execute access
R: Read-only access
W: Write-only access

Common Parameters

/T: Recursive. Apply the command to files in the specified directory and all subdirectories.
/C: Continue on error. The command will continue processing other files even if it encounters an error on one.
/Q: Quiet. Suppresses success messages.

Common Pitfalls and How to Solve Them

Problem: The Script is Not Run as Administrator

This is the number one cause of failure. If your script is not run from an elevated command prompt, ICACLS will fail to modify permissions.

Successfully processed 0 files; Failed processing 1 files

This message (along with a potential "Access is denied" line) indicates a lack of privilege.

Solution: Run as Administrator

Any script that uses ICACLS to modify permissions must be run with administrative privileges. Right-click your .bat file or cmd.exe and choose "Run as administrator."

Problem: Understanding and Managing Inheritance

By default, a file or folder inherits permissions from its parent folder. This can be confusing when a user has access that you didn't explicitly grant.

Solution: Disable Inheritance

ICACLS allows you to break this chain. This is a common practice when securing a specific subfolder.

REM This command disables inheritance and copies the existing permissions as explicit ones.
ICACLS "C:\Logs\Secure" /inheritance:d

REM This command disables inheritance and REMOVES all inherited permissions.
ICACLS "C:\Logs\Secure" /inheritance:r

/inheritance:d: disables inheritance and copies the ACEs.
/inheritance:r: removes all inherited ACEs.

Practical Example: Securing an Application Log Folder

This script sets up a secure log folder. The goal is to allow only Administrators full control, while a specific service account ("AppSvc") can only write to (but not delete) the folder.

@ECHO OFF
SETLOCAL
SET "LOG_FOLDER=C:\ProgramData\MyCoolApp\Logs"

ECHO --- Securing Log Folder ---
MKDIR "%LOG_FOLDER%" 2>NUL

ECHO Step 1: Resetting permissions and removing inheritance...
ICACLS "%LOG_FOLDER%" /reset /T
ICACLS "%LOG_FOLDER%" /inheritance:r /T

ECHO Step 2: Granting Full Control to core system accounts...
ICACLS "%LOG_FOLDER%" /grant Administrators:F /T
ICACLS "%LOG_FOLDER%" /grant SYSTEM:F /T

ECHO Step 3: Granting specific permissions to the service account...
REM Using (OI)(CI) to ensure these permissions are inherited by new files.
ICACLS "%LOG_FOLDER%" /grant AppSvc:(OI)(CI)W

ECHO Permissions have been set.
ICACLS "%LOG_FOLDER%"

ENDLOCAL

note

This script creates a very secure folder where permissions are explicitly and tightly controlled.

Conclusion

The ICACLS command is the essential, modern tool for managing file system permissions from a batch script. It provides granular control to grant, deny, and remove access for users and groups, ensuring your automated processes run with the correct security context.

For successful permission management:

Always run your script as an Administrator.
Use /grant for adding permissions, and use /deny sparingly for explicit restrictions.
Use the /T switch to apply changes recursively to entire directory trees.
Remember the key permission codes: F (Full), M (Modify), RX (Read/Execute), W (Write), and R (Read).

Mastering ICACLS is a key step toward writing professional-grade scripts that can securely manage a Windows environment.

The Core Command: ICACLS​

Granting Permissions (/grant)​

Denying Permissions (/deny)​

Removing Permissions (/remove) and Resetting ACLs (/reset)​

Key ICACLS Permissions and Parameters Explained​

Common Actions​

Common Permissions​

Common Parameters​

Common Pitfalls and How to Solve Them​

Problem: The Script is Not Run as Administrator​

Solution: Run as Administrator​

Problem: Understanding and Managing Inheritance​

Solution: Disable Inheritance​

Practical Example: Securing an Application Log Folder​

Conclusion​

Table of Contents