Fixing ICACLS “Invalid Parameter” Error When Assigning Group Permissions in Windows Server 2012


128 views

When running ICACLS commands to modify permissions, you might encounter the frustrating "Invalid parameter" error even when specifying what appears to be valid group names. This commonly occurs in Windows Server 2012 environments when trying to bulk apply permissions to files or folders.

The error typically stems from one of these scenarios:

  • The group name contains spaces but isn't properly escaped
  • The group's domain context is missing
  • The group doesn't exist in the specified context
  • The syntax doesn't match Windows' expected format

For local groups:

icacls "C:\foo" /grant:r "Group Foo:(F)"

For domain groups:

icacls "C:\foo" /grant:r "DOMAIN\Group Foo:(F)"

Notice the key differences from the original attempt:

  • Parentheses around the permission flag (F)
  • Proper escaping of spaces in group names
  • Explicit domain specification for domain groups

If you're still encountering issues, try these methods:

# Using SID instead of group name
icacls "C:\foo" /grant:r *S-1-5-21-3623811015-3361044348-30300820-1013:(F)

# Using the BUILTIN prefix for system groups
icacls "C:\foo" /grant:r "BUILTIN\Users:(F)"

For applying permissions to multiple files, consider this PowerShell script:

$files = Get-ChildItem "C:\data" -Recurse -File
foreach ($file in $files) {
    icacls $file.FullName /grant:r "DOMAIN\Group Foo:(F)"
}
  • Verify group existence with: net group "Group Foo" /domain
  • Check current permissions first: icacls "C:\foo"
  • Try the command in CMD instead of PowerShell if quoting issues persist
  • Ensure your account has sufficient privileges to modify permissions

When working with Windows Server 2012, you might encounter permission assignment challenges using ICACLS. The common error occurs when trying to grant permissions to groups with spaces in their names:

icacls "C:/foo" /grant:r "Group Foo":f

The system responds with:

Invalid parameter "Group Foo"

The key to solving this lies in properly escaping the group name. Windows requires specific syntax for groups containing spaces:

icacls "C:\foo" /grant:r "DomainName\Group Foo":f

Or for local groups:

icacls "C:\foo" /grant:r "BUILTIN\Group Foo":f

When dealing with domain groups, you can try these variations:

icacls "E:\Contact Numbers.xlsx" /grant:r "DOMAIN\Domain Users":f

For built-in groups:

icacls "E:\Important Files" /grant:r "NT AUTHORITY\SYSTEM":(OI)(CI)F

When group names prove problematic, you can use Security Identifiers (SIDs):

icacls "C:\shared" /grant *S-1-5-32-545:(OI)(CI)F

To find a group's SID:

wmic group where name="Group Foo" get sid

For mass permission changes, combine ICACLS with PowerShell:

Get-ChildItem "C:\Data" -Recurse | ForEach-Object {
    icacls $_.FullName /grant:r "DOMAIN\Group Foo":(OI)(CI)F
}

After applying changes, verify with:

icacls "C:\foo"

Or for detailed output:

icacls "C:\foo" /t /c /l /q