# icacls icacls is a command-line utility that can be used to modify NTFS file system permissions in Windows Server 2003 SP2, Windows Server 2008, Windows Vista and Windows 7. It builds on the functionality of similar previous utilities, including cacls, Xcacls.exe, Cacls.exe, and Xcacls.vbs.   **example**: ``` PS htb\amanda@SIZZLE documents> icacls clean.bat clean.bat NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) HTB\Administrator:(I)(F) HTB\amanda:(I)(F) ``` **Change permissions:** icacls C:\PS /grant John:M **Remove permissions:** icacls C:\PS /remove John Opposed to each group and the user’s access level is specified. Access rights are indicated using abbreviations. Consider the permissions for the user CORP\someusername. The following permissions are assigned to this user: * (OI) — object inherit * (CI) — container inherit * (M) —  modify access This means that this user has the rights to write and modify data in this directory. These rights are inherited to all child objects in this directory. Below is a complete list of permissions that can be set using the icacls utility: iCACLS inheritance settings: * (OI)  —  object inherit * (CI)  —  container inherit * (IO)  —  inherit only * (NP)  —  don’t propagate inherit * (I)  — permission inherited from parent container List of basic access permissions: * D  —  delete access * F  —  full access * N  —  no access * M  —  modify access * RX  —  read and eXecute access * R  —  read-only access * W  —  write-only access Detailed permissions: * DE  —  delete * RC  —  read control * WDAC  —  write DAC * WO  — write owner * S  —  synchronize * AS  —  access system security * MA  —  maximum allowed permissions * GR  —  generic read * GW  —  generic write * GE  —  generic execute * GA  —  generic all * RD  —  read data/list directory * WD  —  write data/add file * AD  — append data/add subdirectory * REA  —  read extended attributes * WEA  —  write extended attributes * X  —  execute/traverse * DC  —  delete child * RA  —  read attributes * WA  —  write attributes --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.newerasec.com/infrastructure-testing/privilege-esclation/windows/icacls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.