PowerShell Icacls permissions with domain group

icaclspowershell

I am trying to use icacls to set permissions for a domain group, but for some reason it is not working.

icacls "C:\Temp\ACL" /T /C /grant ("Everyone"+':F') ("System"+':F') ("Administrators"+':F') ("DOMAIN\groupname"+':C') >> C:\temp\c.log

I am trying to run it with Powershell, but I get the following error:

Invalid parameter "DOMAIN\groupname:C"

I have tried multiple solutions, and it works without ("DOMAIN\groupname"+':C').

Best Answer

I had an old script that did this... your code looked correct, very similar to mine. However I was granting Full control, and you were granting Change. Other CLI tools like SUBINACL, CALCS have used "C" for Change, but it would seem ICACLS decided to use "M" for Modify.

If you change ("DOMAIN\groupname"+':C') to ("DOMAIN\groupname"+':M') you'll have better luck

From the ICACLS usage output:

perm is a permission mask and can be specified in one of two forms:
    a sequence of simple rights:
            N - no access
            F - full access
            M - modify access
            RX - read and execute access
            R - read-only access
            W - write-only access
            D - delete access

Related Solutions

Setting inheritance on folder structure with iCACLS

I strongly suggest you find a utility called SetACL. It is much more powerful than ICACLS, plus the utility's website also provides a very good introduction to NTFS privileges.

(Sorry, I'm typing this on my smartphone, so I can't directly give you the site myself).

Windows – Unable to assign group permissions with ICACLS on Windows Server 2012

Use double quotes instead of single quotes:

C:\>mkdir foo

C:\>icacls 'C:/foo' /grant:r 'Users':f
'Users': No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files

C:\>icacls "C:/foo" /grant:r "Users":f
processed file: C:/foo
Successfully processed 1 files; Failed processing 0 files

I missed that you were using Powershell, not cmd. Powershell has some high weirdness when mixing external commands and quoting. Here's a couple examples using Powershell.

PS v2: To pass the quotes onto icacls you must escape them with a caret. Note parenthesis around the "F" need escaped as well.

PS C:\>icacls `"C:/foo`" /grant:r `"Users`":`(F`)

PS v3: Version 3 offers a new escape sequence --% (dash, dash, percent) which escapes the remainder of the line. This makes even complex external parameters simple.

PS C:\>icacls --% "C:/foo" /grant:r "Users":F

Best Answer

Related Solutions

Setting inheritance on folder structure with iCACLS

Windows – Unable to assign group permissions with ICACLS on Windows Server 2012

Related Topic