This article provides an explanation to the icacls output and the specific ntfs permissions. SIDs may be in either numerical or friendly name form. If you use a numerical form, affix the wildcard character * to the beginning of the SID.
icacls preserves the canonical order of ACE entries as:
- Explicit denials
- Explicit grants
- Inherited denials
- Inherited grants
Perm is a permission mask that can be specified in one of the following forms:
- A sequence of simple rights:
- F (full access)
- M (modify access)
- RX (read and execute access)
- R (read-only access)
- W (write-only access)
- A comma-separated list in parenthesis of specific rights:
- D (delete)
- RC (read control)
- WDAC (write DAC)
- WO (write owner)
- S (synchronize)
- AS (access system security)
- MA (maximum allowed)
- GR (generic read)
- GW (generic write)
- GE (generic execute)
- GA (generic all)
- RD (read data/list directory)
- WD (write data/add file)
- AD (append data/add subdirectory)
- REA (read extended attributes)
- WEA (write extended attributes)
- X (execute/traverse)
- DC (delete child)
- RA (read attributes)
- WA (write attributes)
Inheritance rights may precede either Perm form, and they are applied only to directories:
- (OI): object inherit
- (CI): container inherit
- (IO): inherit only
- (NP): do not propagate inherit
- (I): permission inherited from parent container
This information was from a Microsoft article so read it for more.
You literally copy & pasted the definition of icacls from the Microsoft Documentation.
You are correct. This was just for my future reference.