How to Grant Full Folder Permissions to All Users Using ICACLS in Windows 7


2 views

When administering Windows 7 systems, the icacls.exe command-line utility is the preferred tool for modifying NTFS permissions programmatically. Unlike the GUI method (Properties > Security tab), ICACLS allows precise permission control through scripts and batch files.

To grant full control to all users on a specific folder:

icacls "C:\TargetFolder" /grant "Users":(F) /T /C /Q

Breaking down the parameters:

  • "Users": The built-in Users group containing all user accounts
  • (F): Full control permission (equivalent to Read+Write+Execute+Delete+Change Permissions)
  • /T: Apply recursively to subfolders and files
  • /C: Continue even if errors occur
  • /Q: Quiet mode (suppresses success messages)

For more granular control, consider these permission flags instead of (F):

icacls "C:\SharedData" /grant "Users":(M) /T  # Modify access
icacls "C:\Reports" /grant "Users":(RX)      # Read and Execute
icacls "C:\Uploads" /grant "Users":(W)       # Write-only

To confirm the permissions were set correctly:

icacls "C:\TargetFolder"

Sample output might show:

BUILTIN\Users:(F)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

1. Inheritance Behavior: The /T parameter makes permissions inherit to child objects. To block inheritance while setting new permissions:

icacls "C:\SecureFolder" /inheritance:d /grant "Users":(F)

2. User vs. Everyone: While similar, "Users" excludes the Guest account. For truly universal access including Guests:

icacls "C:\Public" /grant "Everyone":(F) /T

3. Backup Original Permissions before major changes:

icacls "C:\Important" /save permissions.txt /T

For deploying across multiple machines:

@echo off
set folder=%1
if "%folder%"=="" (
    echo Usage: %0 "C:\FolderPath"
    exit /b 1
)

icacls "%folder%" /grant "Users":(F) /T /C
if %errorlevel% neq 0 (
    echo Permission update failed
    exit /b %errorlevel%
)

echo Successfully granted Users full control of %folder%

Save as grant_users_full.cmd and run with folder path as parameter.

Error: "No mapping between account names and security IDs" - Usually means the Users group isn't recognized. Try the SID instead:

icacls "C:\Folder" /grant *S-1-5-32-545:(F)

Access Denied errors - Run Command Prompt as Administrator. ICACLS requires elevated privileges to modify permissions.

Permission conflicts - Use /reset to replace all permissions with default inheritance:

icacls "C:\ProblemFolder" /reset /T

ICACLS (Integrity Control Access Control List) is a command-line utility in Windows that allows administrators to view and modify file/folder permissions. It's particularly useful for scripting bulk permission changes.

The fundamental structure for granting permissions is:

icacls "folder_path" /grant:r "user_or_group":(permissions) /t /c /q

For Windows 7, to grant full control to all users on a specific folder:

icacls "C:\SharedFolder" /grant:r "Users":(F) /t /c /q

Where:

- (F) grants Full Control

- /t applies changes to all subfolders and files

- /c continues despite errors

- /q suppresses success messages

To confirm the permissions were applied correctly:

icacls "C:\SharedFolder"

If you need more granular control (e.g., Read+Write but not Full Control):

icacls "C:\SharedFolder" /grant:r "Users":(M,W,R) /t /c /q

This grants Modify (M), Write (W), and Read (R) permissions.

1. Inheritance Issues: If parent folder permissions are restrictive, use:

icacls "C:\SharedFolder" /reset /t /c /q

2. UAC Limitations: Always run Command Prompt as Administrator.

For repeated use, create a .bat file:

@echo off
icacls "%~1" /grant:r "Users":(F) /t /c /q
if %errorlevel% equ 0 (
    echo Permissions updated successfully
) else (
    echo Error updating permissions
)
pause

Save as grant_access.bat and run with folder path as parameter.