Did you ever need to script ‘setting-file/folder-permissions’ or making a deployment or install script ? Or did you ever screwed-up the NTFS permissions on the C:\Windows folder (including all the subfolders) ?
If so, you’d better read on;

Microsoft finally came with a solution which stops all the horror of automaticly setting-NTFS permissions, including the slow and buggy CACLS variants.
First, i show the timeline and history of the Microsoft tools for setting permissions;

CACLS.EXE was invented for Windows NT4.0 and used for Windows 2000 to set NTFS permissions to files. This tool was not powerfull and only had a few options for setting very-basic NTFS permissions.

XCACLS.EXE (within the Windows 2000 Resource Kit or Microsoft Windows 2003 Support Tools) was made to provide more options for Windows 2000 and up. However, there were some bugs where NTFS permissions were incorrectly ordered and would corrupt the permissions of the file/folder.

XCACLS.VBS was Microsoft’s follow-up and was a rewritten (VBS) version of XCACLS.EXE without the bugs. However, it was so slow! Unfortunately this was the only way to set file permissions on a correct/stable way on Windows 2000/2003/XP.

Now, a few years later, Microsoft finally introduced the new powerfull ICACLS.EXE.
It is included in Windows Server 2003 SP2, Windows Vista and Windows Server 2008. This tool is much faster in setting permissions, it has functionality to backup the permissions of a complete set of files/folders to a single file. You can restore them with the same tool, which is even faster than setting all permissions independently.

UPDATE: After 2 days and nights working and scripting with ICACLS, i saw some limitations; One of them is that you can’t break inheritance.

For example:
When your E:\ drive has Full-Control for the Administrator user with inheritance, you can not use ICACLS to set E:\test\abc\ with just Read permissions for the Administrator user. (see my detailed example at EE)
I tried using “icacls E:\test\abc\ /grant:r Administrator:(OI)(CI)(NP)(R)” but this just adds the read permissions while maintaining the Full-Control permissions. Using icacls with “/remove Administrator” didn’t work either.
The function is possible with the XCACLS.VBS command: “cscript.exe xcacls.vbs E:\test\abc /I COPY|REMOVE|ENABLE“.

You can also use the Windows GUI (see screenshots):

Screenshot of Breaking Inheritance in Windows Server 2003

Copy or Remove permissions on subfolders and files

Below is the usage, syntax and some examples of ICACLS, post your own more-complex examples ! (MSDN command reference)

ICACLS name /save aclfile [/T] [/C]
    store the the acls for the all matching names into aclfile
    for later use with /restore.
ICACLS directory [/substitute SidOld SidNew [...]]
                  /restore aclfile [/C]
    applies the stored acls to files in directory.
ICACLS name /setowner user [/T] [/C]
    changes the owner of all matching names.
ICACLS name /findsid Sid [/T] [/C]
    finds all matching names that contain an ACL explicitly
    mentioning Sid.
ICACLS name /verify [/T] [/C]
    finds all files whose ACL is not in canonical form or whose
    lengths are inconsistent with ACE counts.
ICACLS name /resize [/T] [/C] [/L]
    changes incorrect recorded lengths of ACLs to true lengths
ICACLS name /reset [/T] [/C]
    replaces acls with default inherited acls for all matching

    ICACLS name [/grant[:r] Sid:perm[...]]
            [/deny Sid:perm [...]]
            [/remove[:g|:d]] Sid[...]] [/T] [/C]

    /grant[:r] Sid:perm grants the specified user access rights.
      With :r, the permissions replace any previouly granted
      explicit permissions.
      Without :r, the permissions are added to any previously
      granted explicit permissions.
   /deny Sid:perm explicitly denies the specified user access
      An explicit deny ACE is added for the stated permissions
      and the same permissions in any explicit grant are

   /remove[:[g|d]] Sid removes all occurrences of Sid in the
      With :g, it removes all occurrences of granted rights to
      that Sid.
      With :d, it removes all occurrences of denied rights to
      that Sid.

   Sids may be in either numerical or friendly name form. If a
   numerical form is given, affix a * to the start of the SID.

   /T indicates that this operation is performed on all
      matching files/directories below the directories
      specified in the name.

   /C indicates that this operation will continue on all
      file errors.
      Error messages will still be displayed.

   ICACLS preserves the canonical ordering of ACE entries:
      Explicit denials
      Explicit grants
      Inherited denials
      Inherited grants

   perm is a permission mask and can be specified in one of two
      a sequence of simple rights:
         F - full access
         M - modify access
         RX - read and execute access
         R - read-only access
         W - write-only access
      a comma-separated list in parenthesis of specific
         D - delete
         RC - read control
         WDAC - write DAC
         WO - write owner
         S - synchronize
         AS - access system security
         MA - maximum allowed
         GR - generic read
         GW - generic write
         GE - generic execute
         GA - generic all
         RD - read data/list directory
         WD - write data/add file
         AD - append data/add subdirectory
         REA - read extended attributes
         WEA - write extended attributes
         X - execute/traverse
         DC - delete child
         RA - read attributes
         WA - write attributes
      inheritance rights may precede either form and are
      applied only to directories:
         (OI) - object inherit
         (CI) - container inherit
         (IO) - inherit only
         (NP) - don't propagate inherit


   icacls c:\windows\* /save AclFile /T
      - Will save the ACLs for all files under c:\windows
        and its subdirectories to AclFile.

   icacls c:\windows\ /restore AclFile
      - Will restore the Acls for every file within
        AclFile that exists in c:\windows and its

   icacls file /grant Administrator:(D,WDAC)
      - Will grant the user Administrator Delete and Write DAC
        permissions to file

   icacls file /grant *S-1-1-0:(D,WDAC)
      - Will grant the user defined by sid S-1-1-0 Delete and
        Write DAC permissions to file

If you want to know more about the (OI), (CI), (IO) and (NP) (inheritance) flags, see this Microsoft KB article.

I recently found this document about ICACLS, see page 8 – 10.

A good alternative to ICACLS is “fileacl” (free, 3rd party). It’s lightning fast and even an (ASP) COM interface is available! An older version is even downloadable from the MS site, so i think they even like it ;)