icaclsicacls

显示或修改指定文件上的随机访问控制列表 (DACL),并将存储的 DACL 应用于指定目录中的文件。Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.

有关如何使用此命令的示例,请参阅示例For examples of how to use this command, see Examples.

语法Syntax

icacls <FileName> [/grant[:r] <Sid>:<Perm>[...]] [/deny <Sid>:<Perm>[...]] [/remove[:g|:d]] <Sid>[...]] [/t] [/c] [/l] [/q] [/setintegritylevel <Level>:<Policy>[...]]
icacls <Directory> [/substitute <SidOld> <SidNew> [...]] [/restore <ACLfile> [/c] [/l] [/q]]

ParametersParameters

参数Parameter 描述Description
<FileName><FileName> 指定要为其显示 Dacl 的文件。Specifies the file for which to display DACLs.
<目录 ><Directory> 指定要为其显示 Dacl 的目录。Specifies the directory for which to display DACLs.
/t/t 当前目录及其子目录中执行所有指定的文件的操作。Performs the operation on all specified files in the current directory and its subdirectories.
/c/c 将继续操作而不考虑任何文件错误。Continues the operation despite any file errors. 仍将显示错误消息。Error messages will still be displayed.
/l/l 执行上而不是其目标的符号链接的操作。Performs the operation on a symbolic link versus its destination.
/q/q 禁止显示成功消息。Suppresses success messages.
[/ 保存<ACLfile > [/t] [/c] [/l] [/q]][/save <ACLfile> [/t] [/c] [/l] [/q]] 存储的所有匹配文件到 Dacl ACLfile以更高版本用于 /还原Stores DACLs for all matching files into ACLfile for later use with /restore.
[/ 出现了 setowner<用户名 > [/t] [/c] [/l] [/q]][/setowner <Username> [/t] [/c] [/l] [/q]] 更改为指定的用户的所有匹配文件的所有者。Changes the owner of all matching files to the specified user.
[/findSID <Sid> [/t] [/c] [/l] [/q]][/findSID <Sid> [/t] [/c] [/l] [/q]] 查找包含 DACL 显式一提的指定的安全标识符 (SID) 的所有匹配文件。Finds all matching files that contain a DACL explicitly mentioning the specified security identifier (SID).
[/verify [/t] [/c] [/l] [/q]][/verify [/t] [/c] [/l] [/q]] 找到的所有文件的 Acl 不规范或可以选择此选项与 ACE (访问控制项) 计数不一致。Finds all files with ACLs that are not canonical or have lengths inconsistent with ACE (access control entry) counts.
[/reset [/t] [/c] [/l] [/q]][/reset [/t] [/c] [/l] [/q]] 默认值的替换 Acl 继承的所有匹配文件的 Acl。Replaces ACLs with default inherited ACLs for all matching files.
[授予 / [: r] <Sid >:[...]][/grant[:r] <Sid>:[...]] 授予指定用户访问权限。Grants specified user access rights. 权限将替换以前授予显式权限。Permissions replace previously granted explicit permissions.
无需 : r,权限添加到任何以前授予的显式权限。Without :r, permissions are added to any previously granted explicit permissions.
[/ 拒绝<Sid >:[...]][/deny <Sid>:[...]] 显式拒绝指定的用户访问权限。Explicitly denies specified user access rights. 显式拒绝 ACE 中新增的规定权限并删除任何显式授予在相同的权限。An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.
[/remove [: g|: d]] <Sid > [...]][/t][/c][/l][/q][/remove[:g|:d]] <Sid>[...]] [/t] [/c] [/l] [/q] 从 DACL 中移除指定的 SID 的所有匹配项。Removes all occurrences of the specified SID from the DACL.
: g移除到指定的 SID 被授予权限的所有匹配项。:g removes all occurrences of granted rights to the specified SID.
: d移除对指定的 SID 的拒绝权限的所有匹配项。:d removes all occurrences of denied rights to the specified SID.
[/ setintegritylevel [(CI)(OI)]<级别 >:[...]][/setintegritylevel [(CI)(OI)]<Level>:[...]] 显式将完整性 ACE 添加到所有匹配的文件。Explicitly adds an integrity ACE to all matching files. 级别指定为:Level is specified as:
- L[ow]- L[ow]
- M[edium]- M[edium]
- H[igh]- H[igh]
完整性 ACE 的继承选项之前可能出现在级别,并仅应用于目录。Inheritance options for the integrity ACE may precede the level and are applied only to directories.
[/substitute <SidOld> [...]][/substitute <SidOld> [...]] 替换现有的 SID (SidOld) 与一个新的 SID (SidNew)。Replaces an existing SID (SidOld) with a new SID (SidNew). 需要Directory参数。Requires the Directory parameter.
/ 还原<ACLfile > [/c] [/l] [/q]/restore <ACLfile> [/c] [/l] [/q] 将应用从存储的 Dacl ACLfile到指定目录中的文件。Applies stored DACLs from ACLfile to files in the specified directory. 需要Directory参数。Requires the Directory parameter.
/inheritancelevel:[e|d|r]/inheritancelevel:[e|d|r] 设置的继承级别:Sets the inheritance level:
e -使 enheritancee - Enables enheritance
d -禁用继承,并将复制 Aced - Disables inheritance and copies the ACEs
r -移除所有继承 Acer - Removes all inherited ACEs

备注Remarks

  • Sid 可能在任一数字或友好名称格式。SIDs may be in either numerical or friendly name form. 如果使用数字形式,词缀通配符 * SID 的开头。If you use a numerical form, affix the wildcard character * to the beginning of the SID.

  • icacls保留 ACE 条目的规范顺序:icacls preserves the canonical order of ACE entries as:

    • 显式拒绝Explicit denials
    • 显式授予Explicit grants
    • 继承被拒绝Inherited denials
    • 继承的授予Inherited grants
  • 为永久是可以在以下形式之一中指定一个权限掩码:Perm is a permission mask that can be specified in one of the following forms:

    • 一系列简单的权限:A sequence of simple rights:

      F (完全访问权限)F (full access)

      M (修改访问权限)M (modify access)

      RX (读取和执行访问权限)RX (read and execute access)

      R (只读访问)R (read-only access)

      W (只写访问权限)W (write-only access)

    • 以逗号分隔的列表,用括号括起来的特定权限:A comma-separated list in parenthesis of specific rights:

      D (删除)D (delete)

      RC (读取控件)RC (read control)

      WDAC (编写 DAC)WDAC (write DAC)

      WO (写入所有者)WO (write owner)

      S (同步)S (synchronize)

      AS (访问系统的安全性)AS (access system security)

      MA (最多允许)MA (maximum allowed)

      GR (一般读取)GR (generic read)

      GW (一般性写)GW (generic write)

      GE (泛型执行)GE (generic execute)

      GA (所有通用)GA (generic all)

      RD (读取/列出数据目录)RD (read data/list directory)

      WD (写入/添加数据的文件)WD (write data/add file)

      AD (追加数据/添加子目录)AD (append data/add subdirectory)

      REA (读取扩展的属性)REA (read extended attributes)

      WEA (写入扩展的属性)WEA (write extended attributes)

      X (执行/遍历)X (execute/traverse)

      DC (删除子)DC (delete child)

      远程协助(读取属性)RA (read attributes)

      WA (写入属性)WA (write attributes)

  • 继承权限可能位于任一Perm窗体中,并且它们仅应用于目录:Inheritance rights may precede either Perm form, and they are applied only to directories:

    (OI) : 对象继承(OI): object inherit

    (CI) : 容器继承(CI): container inherit

    (IO) : 仅继承(IO): inherit only

    (NP) : 将不会传播继承(NP): do not propagate inherit

示例Examples

若要保存的所有文件的 Dacl C:\Windows 目录及其子目录 ACLFile 文件中,请键入:To save the DACLs for all files in the C:\Windows directory and its subdirectories to the ACLFile file, type:

icacls c:\windows\* /save aclfile /t

若要还原的每个文件中存在 C:\Windows 目录及其子目录中的 ACLFile Dacl,请键入:To restore the DACLs for every file within ACLFile that exists in the C:\Windows directory and its subdirectories, type:

icacls c:\windows\ /restore aclfile

若要向用户授予 User1 删除和写入 DAC 权限到名为"Test1",键入:To grant the user User1 Delete and Write DAC permissions to a file named "Test1", type:

icacls test1 /grant User1:(d,wdac)

若要授予用户定义的 SID 为 S-1-1-0 删除和写入 DAC 权限到文件中,名为"Test2",键入:To grant the user defined by SID S-1-1-0 Delete and Write DAC permissions to a file, named "Test2", type:

icacls test2 /grant *S-1-1-0:(d,wdac)

其他参考Additional references

命令行语法项Command-Line Syntax Key