ICACLS name /save aclfile [/T] [/C] [/L] [/Q]stores the DACLs for the files and folders that match the nameinto aclfile for later use with /restore. Note that SACLs,owner, or integrity labels are not saved.ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile[/C] [/L] [/Q]applies the stored DACLs to files in directory.ICACLS name /setowner user [/T] [/C] [/L] [/Q]changes the owner of all matching names. This option does notforce a change of ownership; use the takeown.exe utility forthat purpose.ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]finds all matching names that contain an ACLexplicitly mentioning Sid.ICACLS name /verify [/T] [/C] [/L] [/Q]finds all files whose ACL is not in canonical form or whoselengths are inconsistent with ACE counts.ICACLS name /reset [/T] [/C] [/L] [/Q]replaces ACLs with default inherited ACLs for all matching files.ICACLS name [/grant[:r] Sid:perm[...]][/deny Sid:perm [...]][/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q][/setintegritylevel Level:policy[...]]/grant[:r] Sid:perm grants the specified user access rights. With :r,the permissions replace any previously granted explicit permissions.Without :r, the permissions are added to any previously grantedexplicit permissions./deny Sid:perm explicitly denies the specified user access rights.An explicit deny ACE is added for the stated permissions andthe same permissions in any explicit grant are removed./remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With:g, it removes all occurrences of granted rights to that Sid. With:d, it removes all occurrences of denied rights to that Sid./setintegritylevel [(CI)(OI)]Level explicitly adds an integrityACE to all matching files. The level is to be specified as oneof:L[ow]M[edium]H[igh]Inheritance options for the integrity ACE may precede the leveland are applied only to directories./inheritance:e|d|re - enables inheritanced - disables inheritance and copy the ACEsr - remove all inherited ACEsNote:Sids may be in either numerical or friendly name form. If a numericalform is given, affix a * to the start of the SID./T indicates that this operation is performed on all matchingfiles/directories below the directories specified in the name./C indicates that this operation will continue on all file errors.Error messages will still be displayed./L indicates that this operation is performed on a symbolic linkitself versus its target./Q indicates that icacls should suppress success messages.ICACLS preserves the canonical ordering of ACE entries:Explicit denialsExplicit grantsInherited denialsInherited grantsperm is a permission mask and can be specified in one of two forms:a sequence of simple rights:N - no accessF - full accessM - modify accessRX - read and execute accessR - read-only accessW - write-only accessD - delete accessa comma-separated list in parentheses of specific rights:DE - deleteRC - read controlWDAC - write DACWO - write ownerS - synchronizeAS - access system securityMA - maximum allowedGR - generic readGW - generic writeGE - generic executeGA - generic allRD - read data/list directoryWD - write data/add fileAD - append data/add subdirectoryREA - read extended attributesWEA - write extended attributesX - execute/traverseDC - delete childRA - read attributesWA - write attributesinheritance rights may precede either form and are appliedonly to directories:(OI) - object inherit(CI) - container inherit(IO) - inherit only(NP) - don't propagate inherit(I) - permission inherited from parent containerExamples:icacls c:\windows\* /save AclFile /T- Will save the ACLs for all files under c:\windowsand its subdirectories to AclFile.icacls c:\windows\ /restore AclFile- Will restore the Acls for every file withinAclFile that exists in c:\windows and its subdirectories.icacls file /grant Administrator:(D,WDAC)- Will grant the user Administrator Delete and Write DACpermissions to file.icacls file /grant *S-1-1-0:(D,WDAC)- Will grant the user defined by sid S-1-1-0 Delete andWrite DAC permissions to file.