Educational Windows Tools

ICACLS Output Explanation – NTFS Permissions

This article provides an explanation to the icacls output and the specific ntfs permissions. SIDs may be in either numerical or friendly name form. If you use a numerical form, affix the wildcard character * to the beginning of the SID.

icacls preserves the canonical order of ACE entries as:

  • Explicit denials
  • Explicit grants
  • Inherited denials
  • Inherited grants

Perm is a permission mask that can be specified in one of the following forms:

  1. A sequence of simple rights:
    • F (full access)
    • M (modify access)
    • RX (read and execute access)
    • R (read-only access)
    • W (write-only access)
  2. A comma-separated list in parenthesis of specific rights:
    • D (delete)
    • RC (read control)
    • WDAC (write DAC)
    • WO (write owner)
    • S (synchronize)
    • AS (access system security)
    • MA (maximum allowed)
    • GR (generic read)
    • GW (generic write)
    • GE (generic execute)
    • GA (generic all)
    • RD (read data/list directory)
    • WD (write data/add file)
    • AD (append data/add subdirectory)
    • REA (read extended attributes)
    • WEA (write extended attributes)
    • X (execute/traverse)
    • DC (delete child)
    • RA (read attributes)
    • WA (write attributes)

Inheritance rights may precede either Perm form, and they are applied only to directories:

  • (OI): object inherit
  • (CI): container inherit
  • (IO): inherit only
  • (NP): do not propagate inherit
  • (I): permission inherited from parent container


This information was from a Microsoft article so read it for more.

About the author



Click here to post a comment

Got Something To Say?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe For Latest News

TorGuard VPN 50% Off: hackhappy

TorGuard VPN Discount Code: hackhappy
Discount Code: hackhappy


%d bloggers like this: