How to Set Folder Permissions with ICACLS in Batch Script

Controlling access to directories is a fundamental security practice in Windows. Scripts often need to lock down sensitive data folders, grant specific users write access to their home directories, or set up permissions for a shared network folder. The modern, powerful, and standard command-line tool for managing these permissions (Access Control Lists or ACLs) is ICACLS.

This guide will teach you how to use ICACLS to grant, deny, and remove permissions on directories. You will learn how to apply these permissions recursively to an entire folder tree, how to manage inheritance, and how to create a secure application folder from scratch.

The Core Command: `ICACLS`

ICACLS is the built-in Windows utility for displaying and modifying the discretionary access control lists (DACLs) on file system objects, including folders. It provides granular control over which users and groups can access a directory and what they can do.

Crucially, modifying permissions on most folders requires elevated privileges. You must run your batch script from a command prompt that has been "Run as Administrator."

The basic syntax pattern is: ICACLS "path\to\folder" /action UserOrGroup:Permissions

Granting Permissions (`/grant`)

The most common action is /grant, which adds permissions for a user or group. If permissions for that user already exist, they will be updated.

Let's grant a user named "JaneDoe" modify permissions to her home directory, allowing her to read, write, and delete files and subfolders.

@ECHO OFF
REM This script must be run as an Administrator.

ECHO Granting Modify permissions to the JaneDoe user...
ICACLS "D:\Users\JaneDoe" /grant JaneDoe:(OI)(CI)M

(OI)(CI): These are inheritance flags that are crucial for folders. They mean Object Inherit and Container Inherit, ensuring that new files and subfolders created inside this directory will automatically get these same permissions.
M: Grants Modify access.

Denying Permissions (`/deny`)

A deny rule is an explicit restriction that overrides any grant permissions. It's a powerful tool for locking down access. For instance, you could deny the "Marketing" group from accessing a "Development" folder, even if a user is in both groups. Deny rules should be used carefully.

Let's explicitly deny the "Interns" group from writing to a shared tools folder.

@ECHO OFF
REM Run as Administrator.

ECHO Denying write access to the Interns group...
ICACLS "D:\Shared\Tools" /deny Interns:(OI)(CI)W

Removing Permissions (`/remove`) and Resetting ACLs (`/reset`)

To clean up permissions, /remove can delete a user's specific rules. For a more drastic cleanup, /reset will completely replace a folder's ACL with the default permissions it should inherit from its parent.

For example, a script to remove a user:

ECHO Removing all specific permissions for the user 'TempUser'...
ICACLS "D:\Projects\Archive" /remove TempUser /T

note

Note: The /T switch makes the command recursive.

For exampl,e a script for resetting a folder's permissions:

ECHO Resetting all permissions on the folder to default...
ICACLS "D:\Projects\Archive" /reset /T

Key `ICACLS` Permissions and Parameters Explained

Common Actions

/grant <User>:<Perms>: Adds or modifies permissions.
/deny <User>:<Perms>: Explicitly denies permissions.
/remove <User>: Removes all permissions for a user.
/reset: Replaces the ACL with default inherited permissions.

Common Permissions

F: Full control
M: Modify access (read, write, execute, delete)
RX: Read and execute access
R: Read-only access
W: Write-only access

Inheritance Flags (for folders)

(OI): Object Inherit - Files created in this folder will inherit these permissions.
(CI): Container Inherit - Subfolders created in this folder will inherit these permissions.

Common Parameters

/T: Recursive. Apply the command to all files and subdirectories within the specified directory. This is essential for folder operations.
/C: Continue on error.
/Q: Quiet. Suppresses success messages.

Common Pitfalls and How to Solve Them

Problem: The Script is Not Run as Administrator

This is the most common reason ICACLS fails. If you try to modify permissions on a folder outside your own user profile, you will need administrative rights.

So, in case of error we will get:

Successfully processed 0 files; Failed processing 1 files

Solution: Run as Administrator

Any script that manages permissions on system or shared folders must be run from an elevated command prompt. Right-click your .bat file and select "Run as administrator."

Problem: Understanding and Managing Inheritance

By default, a folder inherits permissions from its parent. This is often desirable, but sometimes you need to create a folder with a unique, isolated set of permissions.

Solution: Disable Inheritance

ICACLS allows you to break the inheritance chain, which is a common first step when securing a folder.

REM This command disables inheritance and copies the existing permissions as explicit ones.
ICACLS "C:\Data\SecureFolder" /inheritance:d

REM This command disables inheritance and REMOVES all inherited permissions.
ICACLS "C:\Data\SecureFolder" /inheritance:r

/inheritance:d: disables inheritance.
/inheritance:r: removes all inherited permissions.

Practical Example: Securing an Application Data Folder

This script sets up a secure data folder for an application. The goal is to allow only Administrators full control, while a specific service account ("AppSvc") can read, write, and execute.

@ECHO OFF
SETLOCAL
SET "APP_DATA=C:\ProgramData\MyWebApp\Data"

ECHO --- Securing Application Data Folder ---
MKDIR "%APP_DATA%" 2>NUL

ECHO Step 1: Taking ownership and resetting permissions...
TAKEOWN /F "%APP_DATA%" /R /A
ICACLS "%APP_DATA%" /reset /T

ECHO Step 2: Removing inheritance from parent folders...
ICACLS "%APP_DATA%" /inheritance:r /T

ECHO Step 3: Granting Full Control to core system accounts...
ICACLS "%APP_DATA%" /grant Administrators:(OI)(CI)F /T
ICACLS "%APP_DATA%" /grant SYSTEM:(OI)(CI)F /T

ECHO Step 4: Granting specific permissions to the service account...
ICACLS "%APP_DATA%" /grant AppSvc:(OI)(CI)RXM /T

ECHO Permissions have been set.
ICACLS "%APP_DATA%"

ENDLOCAL

Conclusion

The ICACLS command is the definitive tool for managing folder security in Windows Batch. It provides complete control over which users and groups can access a directory and its contents.

For successful permission management:

Always run your script as an Administrator.
Use /grant to add permissions and /deny for explicit restrictions.
Use the (OI)(CI) inheritance flags to ensure permissions are passed down to new files and subfolders.
Use the /T switch to apply changes recursively to an entire directory tree.
Use /inheritance:r to create a folder with isolated, non-inherited permissions.

Mastering ICACLS is a critical skill for any scripter tasked with automating deployments or managing a secure Windows environment.

The Core Command: ICACLS​

Granting Permissions (/grant)​

Denying Permissions (/deny)​

Removing Permissions (/remove) and Resetting ACLs (/reset)​

Key ICACLS Permissions and Parameters Explained​

Common Actions​

Common Permissions​

Inheritance Flags (for folders)​

Common Parameters​

Common Pitfalls and How to Solve Them​

Problem: The Script is Not Run as Administrator​

Solution: Run as Administrator​

Problem: Understanding and Managing Inheritance​

Solution: Disable Inheritance​

Practical Example: Securing an Application Data Folder​

Conclusion​

Table of Contents