What is the PowerShell equivalent of ICACLS?

Brock Bingham candid headshot
Brock Bingham|July 19, 2021
icacls
icacls

As cyber attacks increase in both frequency and severity, they have taken center stage in the world of cybersecurity. While keeping threat actors out of your environment is absolutely critical, I believe that keeping coworkers out of your embarrassingly large private stash of pirated Golden Girls episodes is at least mildly important. 

Thankfully, keeping your private stash and company secrets safe is pretty straightforward with file and folder permissions. Here’s how you can go about securing your most important assets:

ICACLS

Managing permissions through Windows Explorer is pretty easy. Simply right-click on any file or folder and click Properties, then click on the Security tab.

icacls1

While this is relatively simple to do, you’ll start to run into issues when you have massive amounts of permissions to set. Thankfully, with the ICALS utility, we're able to script out larger permissions jobs.

Icacls is a command-line utility that allows admins to view and modify file and folder permissions. CACLS stands for Control Access Control List. There is some debate on whether the "I" stands for Integrity or Inherited, but hopefully it doesn't stand for “irreplaceable” because today we're discussing the PowerShell equivalent of icacls.

The PowerShell Equivalent of ICACLS Is Get-Acl and Set-Acl

NAME Get-Acl SYNTAX Get-Acl [[-Path] <string[]>] [-Audit] [-AllCentralAccessPolicies] [-Filter <string>] [-Include <string[]>] [-Exclude <string[]>] [-UseTransaction] [<CommonParameters>] Get-Acl -InputObject <psobject> [-Audit] [-AllCentralAccessPolicies] [-Filter <string>] [-Include <string[]>] [-Exclude <string[]>] [-UseTransaction] [<CommonParameters>] Get-Acl [-LiteralPath <string[]>] [-Audit] [-AllCentralAccessPolicies] [-Filter <string>] [-Include <string[]>] [-Exclude <string[]>] [-UseTransaction] [<CommonParameters>] ALIASES None REMARKS Get-Help cannot find the Help files for this cmdlet on this computer. It is displaying only partial help. -- To download and install Help files for the module that includes this cmdlet, use Update-Help. -- To view the Help topic for this cmdlet online, type: "Get-Help Get-Acl -Online" or go to https://go.microsoft.com/fwlink/?LinkID=113305.

NAME Set-Acl SYNTAX Set-Acl [-Path] <string[]> [-AclObject] <Object> [[-CentralAccessPolicy] <string>] [-ClearCentralAccessPolicy] [-Passthru] [-Filter <string>] [-Include <string[]>] [-Exclude <string[]>] [-WhatIf] [-Confirm] [-UseTransaction] [<CommonParameters>] Set-Acl [-InputObject] <psobject> [-AclObject] <Object> [-Passthru] [-Filter <string>] [-Include <string[]>] [-Exclude <string[]>] [-WhatIf] [-Confirm] [-UseTransaction] [<CommonParameters>] Set-Acl [-AclObject] <Object> [[-CentralAccessPolicy] <string>] -LiteralPath <string[]> [-ClearCentralAccessPolicy] [-Passthru] [-Filter <string>] [-Include <string[]>] [-Exclude <string[]>] [-WhatIf] [-Confirm] [-UseTransaction] [<CommonParameters>] ALIASES None REMARKS Get-Help cannot find the Help files for this cmdlet on this computer. It is displaying only partial help. -- To download and install Help files for the module that includes this cmdlet, use Update-Help. -- To view the Help topic for this cmdlet online, type: "Get-Help Set-Acl -Online" or go to https://go.microsoft.com/fwlink/?LinkID=113389.

As you can see, Microsoft has chosen to stick with their non-creative but very descriptive naming schemes with these cmdlets. One look and you can pretty easily guess what each one does. As their names imply, Get-Acl will retrieve the access-control list of a given file or folder. Set-Acl, on the other hand, will set or modify the permissions of files and folders.

Okay, time for some examples.

Example 1

DIR 'path(filter)' -Recurse | Get-Acl | Format-List
icacls2

We're starting off pretty simple, but there's still some cool stuff going on here. We've used the DIR command and specified the path 'C:\VIP Only\' with the filter a*. The only folder inside the "VIP Only" folder that matched the filter was a folder named "Area 51 Fashion Advice". We've used the -Recurse parameter to return all subdirectories and files. Be careful using this parameter on a folder that has large amounts of subdirectories and files, though. 

Next, we piped that command to the Get-Acl command, returning the permissions for all the files and folders found in the specified directory. Lastly, we piped everything to the Format-List command to make the returned information a bit easier to read.

Example 2

Get-Acl -Path 'Path1 | Set-Acl -Path 'Path2'

We are using both Get-Acl and Set-Acl to copy the permissions from one file to another in this example.

I have a file called “Top Secret Mashed Potatoes Recipe.txt” and a "Back to the Future 4 Script.txt" file in the same "VIP Only" directory. As you can see, the user Jack Black currently has permissions on one file but not the other.

icacls3

However, once I run the above script, PowerShell will copy the permissions from "Top Secret Mashed Potatoes Recipe.txt" to "Back to the Future 4 Script.txt."

icacls4
icacls5

Example 3

$acl = Get-Acl 'path' $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("username","permission","allow or deny") $acl.SetAccessRule($AccessRule) $acl | Set-Acl 'path'

The first two examples were pretty simple. However, setting permissions is a bit trickier than just getting or copying permissions.

In this example, the first thing we do is retrieve the ACL of the object we want to modify and assign it to the variable $acl. Next, we create a new file system access rule and assign it to the $AccessRule variable. This rule contains the "username", the "permission", and the "allow or deny" settings. Then, we set the access rule we created to the $acl variable. Lastly, we use the Set-Acl cmdlet to set the new permissions contained in the access rule.

As you can see in this image, the file "C:\VIP Only\NSA Secrets\Chocolate is Healthy.txt" doesn't have permissions for the user Jack Black.

icacls6

However, once I run the following script, the user's permissions will be added to the file and granted full control.

icacls7
icacls8

Magic!... I mean, PowerShell!

PowerShell vs ICALS: Which Should You Be Using?

I'll be honest. I find it easier to set permissions with icacls versus Set-Acl. However, there are limitations with icacls, whereas the possibilities are almost infinite with PowerShell. If you have some simple permissions to set, I would use either Windows Explorer or icacls. If, on the other hand, you have an enormous amount of permissions to set and you need to automate a workflow, PowerShell should be your go-to.

Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related articles