How to set or reset NTFS permissions of a file or folder with icacls command
In this article, we will learn how to set or reset NTFS permissions of a file or folder in a Windows operating system, with icacls command.
在本文中,我们将学习如何使用 icacl 命令设置或重置 Windows 操作系统中文件或文件夹的 NTFS 权限。
It can happen that, in some cases, we may lose sight of files or directories permissions, and when we try to access a specific file we have no result because we don’t have the rights to do so.
Or we may have to run a software that, for permission issue, does not work as it should.
在某些情况下,我们可能会忽略文件或目录的权限,当我们尝试访问一个特定的文件时,我们没有结果,因为我们没有这样做的权限。或者我们可能不得不运行一个软件,为了获得许可,它不能正常工作。
We may also need to access a file that came from an old backup or another computer and was therefore created with a different user; even then, it will not be possible to access it.
我们还可能需要访问一个来自旧备份或其他计算机的文件,因此是用不同的用户创建的; 即使这样,也不可能访问它。
In all these cases, Icacls command comes to help.
在所有这些情况下,Icacls 命令都会提供帮助。
What is Icacls?
什么是 Icacls?
Icacls is the replacement for cacls (Change Access Control Lists), a command-line utility that allows you to show and perform some operations on ACL for files or directories.
Icacls 是 cacls (更改访问控制列表)的替代品,这是一个命令行实用程序,允许您在 ACL 上显示和执行文件或目录的一些操作。
ACL (Access Control List) is a list of permissions for a filesystem object and defines how its security is controlled by managing who and how it can be accessed.
ACL (访问控制列表)是文件系统对象的权限列表,通过管理访问者和访问方式,定义了如何控制其安全性。
Actually, operations on ACL are not the only ones possible with this tool.
What makes it a powerful tool is also the ability to perform backup and restore operations on ACL for files or directories, or to search for files that have a specific user as owner.
And in addition, in the event that an ACL is damaged or destroyed, with icacls you can restore it by resetting it and setting default permissions or inheriting those of the parent.
实际上,ACL 上的操作并不是这个工具唯一可能的操作。它之所以是一个强大的工具,还因为它能够对 ACL 执行文件或目录的备份和恢复操作,或者搜索具有特定用户作为所有者的文件。另外,如果 ACL 损坏或销毁,您可以通过重置 icacl 并设置默认权限或继承父权限来恢复它。
Icacls: the reset and grant functions
Icacls: 重置和授予函数
Reset
重置
Icacls is a native Windows command that runs on Windows Vista, Windows 7, Windows 8 and Windows 10.
Imagine that we have an external hard disk on which a study made in 2018 was stored, and we want to recover it, but we do not have complete control.
Icacls 是一个本地 Windows 命令,可以在 Windows Vista,Windows 7,Windows 8和 Windows 10上运行。想象一下,我们有一个外部硬盘,上面存有2018年的一项研究,我们想要恢复它,但是我们没有完全的控制权。
As soon as we try to open the folder, we will have the following alert message.
一旦我们尝试打开文件夹,我们将得到以下警告消息。
One solution is, therefore, to use the reset function of Icacls.
But pay attention to the following steps.
因此,一个解决方案是使用 Icacls 的重置功能。
Let’s open the command terminal in administrator mode.
让我们以管理员模式打开命令终端。
Let’s move to the folder and type the reset command as follows:
让我们移动到文件夹并键入 reset 命令如下:
$> icacls * /t /q /c /reset
And again, we’ll have “Access is denied” as a response.
同样,我们会用“拒绝访问”作为回应。
We must therefore first become the owner of the folder with the takeown command:
因此,我们必须首先使用 takeown 命令成为文件夹的所有者:
$> takeown / R / F *
By clicking Yes, you will now have a reset of ACL, and the permission state will be as follows:
通过单击 Yes,您现在将有一个 ACL 重置,并且权限状态如下:
Grant
格兰特
Now, imagine being in the following situation:
现在,想象一下这样的情况:
Only the user named Peter has access to the folder, and we want to give grants also to the federica user.
只有名为 Peter 的用户可以访问该文件夹,我们还希望向 federica 用户提供补助。
With the previous command, we can become the owner of the folder
使用前面的命令,我们可以成为文件夹的所有者
$> takeown / R / F *
and then type the following command:
然后输入以下命令:
$> icacls "E:\Study2018" /t /grant:F
In this case, I have inserted the options /t, that means recursive, and F that means “full access” for the user on which we want to give grants.
在这个例子中,我插入了选项/t,这意味着递归,而 f 意味着我们想要授予的用户的“完全访问权”。
For more options, see the official page.
有关更多选项,请参阅官方页面。
Other icacls functions
其他 icacls 功能
If you need to save ACLs in a file for a later restore, you can do by using a couple of “save and restore” commands.
A very simple operation from a point of view: information about the ACLs are saved in a file that can be used in case of need to restore a previous situation.
However, it should be noted that data on access rights, especially in shared folders, can be very variable over time.
We could then find ourselves in a situation where we are going to restore a situation that is different from reality or even inconsistent.
Moreover, the file that is created, openable and readable with a common text editor, seems to be a Unicode text.
But beware, because it isn’t.
如果您需要在文件中保存 acl 以便以后进行恢复,可以使用两个“保存和恢复”命令。从某种角度来看,这是一个非常简单的操作: 有关 acl 的信息保存在一个文件中,在需要恢复以前的情况时可以使用这个文件。然而,应该注意的是,访问权限数据,尤其是共享文件夹中的访问权限数据,随着时间的推移可能变化很大。然后,我们可能会发现自己处于这样一种情况,即我们要恢复一种与现实不同甚至不一致的局面。此外,使用通用文本编辑器创建、可开启和可读的文件似乎是 Unicode 文本。但是要小心,因为它不是。
Open the file and save it with some changes will make it unusable in Restore operations.
打开文件并通过一些更改将其保存,这将使其在“还原”操作中无法使用。
The couple of “save and restore” commands is as follows:
“保存和恢复”命令如下:
icacls FILE_O_DIRECTORY /save aclfile /t
icacls DIRECTORY /restore aclfile
Icacls DIRECTORY/restore aclfile
You will immediately notice a difference between the two commands.
您将立即注意到这两个命令之间的差异。
The save command can be executed both on file and on directories (FILE_O_O_DIRECTORY must be replaced with the name of the file or directory for which we want to save the ACL).
可以在文件和目录上执行 save 命令(FILE _ o _ o _ directory 必须替换为我们要为其保存 ACL 的文件或目录的名称)。
While the restore command only works on directories.
而 restore 命令只对目录有效。
An example of use is as follows:
使用的一个例子如下:
E:\> icacls filediprova.txt /save aclfile /t
E:\>icacls . /restore aclfile
As you can see, in restore command case we will not use filediprova.txt but the directory in which it is contained.
正如您所看到的,在 restore 命令情况下,我们将不使用 filediprova.txt,而是使用包含它的目录。
Conclusions
结论
In Windows systems, the ability managing access control lists is a strength that allows users and processes to make the best use of resources.
In some cases, it can be complicated, but with icacls tool, we can have many functions that help to ensure security.
在 Windows 系统中,管理访问控制列表的能力是允许用户和进程最佳利用资源的一个优点。在某些情况下,它可能比较复杂,但是使用 icacl 工具,我们可以使用许多功能来帮助确保安全性。
