Thursday, February 18, 2016

Replace inheritance permissions on folder/file using commandline in Windows server 2008

When you create a new folder or file (B) inside an existing folder (A) in Windows environment (It's Windows Server 2008 R2 in my case), B will inherit all the security access permissions of A. And you don't want that happen just like me. You can run this command in cmd to replace all the inherited aces (access control entries) from B with different ace set (the following will replace all the inherited trustee with domain admins and local administrators):

icacls "\path\to\folder\or\file" /inheritance:r /grant:r "MYDOMAIN\Domain Admins":(OI)(CI)F /grant:r "Administrators":(OI)(CI)F /T

Please be noticed that if you run this command via a bash shell (cygwin) instead of the Windows's cmd, you have to escape the "\", "(", and ")" characters:

icacls "\\path\\to\\folder\\or\\file" /inheritance:r /grant:r "MYDOMAIN\\Domain Admins":\(OI\)\(CI\)F /grant:r "Administrators":\(OI\)\(CI\)F /T

This is really helpful when you're dealing with automated or bulk tasks.