icaclsicacls

显示或修改指定文件上的随机访问控制列表 (DACL),并将存储的 DACL 应用于指定目录中的文件。Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.

备注

此命令替换弃用的 cacls 命令This command replaces the deprecated cacls command.

语法Syntax

icacls <filename> [/grant[:r] <sid>:<perm>[...]] [/deny <sid>:<perm>[...]] [/remove[:g|:d]] <sid>[...]] [/t] [/c] [/l] [/q] [/setintegritylevel <Level>:<policy>[...]]
icacls <directory> [/substitute <sidold> <sidnew> [...]] [/restore <aclfile> [/c] [/l] [/q]]

参数Parameters

参数Parameter 说明Description
<filename> 指定要为其显示 Dacl 的文件。Specifies the file for which to display DACLs.
<directory> 指定要为其显示 Dacl 的目录。Specifies the directory for which to display DACLs.
/t /t 对当前目录及其子目录中的所有指定文件执行操作。Performs the operation on all specified files in the current directory and its subdirectories.
/c/c 即使存在任何文件错误,也会继续操作。Continues the operation despite any file errors. 仍会显示错误消息。Error messages will still be displayed.
/l/l 对符号链接而不是其目标执行操作。Performs the operation on a symbolic link instead of its destination.
/q/q 禁止显示成功消息。Suppresses success messages.
[/save <ACLfile> /t/c/l[/q]][/save <ACLfile> [/t] [/c] [/l] [/q]] 将所有匹配文件的 Dacl 存储到 ACLfile 中,以便以后用于 /restoreStores DACLs for all matching files into ACLfile for later use with /restore.
[/setowner <username> /t/c/l[/q]][/setowner <username> [/t] [/c] [/l] [/q]] 将所有匹配文件的所有者更改为指定用户。Changes the owner of all matching files to the specified user.
[/findsid <sid> /t/c/l[/q]][/findsid <sid> [/t] [/c] [/l] [/q]] 查找所有包含 DACL 的所有匹配文件,其中显式提及指定的安全标识符 (SID) 。Finds all matching files that contain a DACL explicitly mentioning the specified security identifier (SID).
[/verify [/t] [/c] [/l] [/q]][/verify [/t] [/c] [/l] [/q]] 查找其 Acl 不规范或长度与 ACE 不一致的所有文件, (访问控制项) 计数。Finds all files with ACLs that are not canonical or have lengths inconsistent with ACE (access control entry) counts.
[/reset [/t] [/c] [/l] [/q]][/reset [/t] [/c] [/l] [/q]] 将 Acl 替换为所有匹配文件的默认继承 Acl。Replaces ACLs with default inherited ACLs for all matching files.
[/grant [: r] <sid> : [...]][/grant[:r] <sid>:[...]] 授予指定的用户访问权限。Grants specified user access rights. 权限替换之前授予的显式权限。Permissions replace previously granted explicit permissions.

不添加 : r,这意味着将权限添加到以前授予的任何显式权限。Not adding the :r, means that permissions are added to any previously granted explicit permissions.

[/deny <sid> : [...]][/deny <sid>:[...]] 显式拒绝指定的用户访问权限。Explicitly denies specified user access rights. 将为所述权限添加显式拒绝 ACE,并删除任何显式授权中的相同权限。An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.
[/remove [:g | :d]] <sid>[...]/t/c/l/q[/remove[:g | :d]] <sid>[...] [/t] [/c] [/l] [/q] 从 DACL 中移除指定 SID 的所有匹配项。Removes all occurrences of the specified SID from the DACL. 此命令还可以使用:This command can also use:
  • : g -删除已授予的对指定 SID 的所有权限。:g - Removes all occurrences of granted rights to the specified SID.
  • :d -删除对指定 SID 的所有拒绝的权限。:d - Removes all occurrences of denied rights to the specified SID.
[/setintegritylevel [ (CI) (OI) ] <Level>:<Policy>[...]][/setintegritylevel [(CI)(OI)] <Level>:<Policy>[...]] 将完整性 ACE 显式添加到所有匹配的文件。Explicitly adds an integrity ACE to all matching files. 可将级别指定为:The level can be specified as:
  • l -低l - Low
  • m-中型m- Medium
  • h -高h - High
完整性 ACE 的继承选项可能在级别之前,只适用于目录。Inheritance options for the integrity ACE may precede the level and are applied only to directories.
[/substitute <sidold> <sidnew> [...]][/substitute <sidold> <sidnew> [...]] 将现有 SID (sidold) 替换为新的 sid (sidnew) 。Replaces an existing SID (sidold) with a new SID (sidnew). 要求将与参数一起使用 <directory>Requires using with the <directory> parameter.
/restore <ACLfile> [/c] [/l] [/q]/restore <ACLfile> [/c] [/l] [/q] 将存储的 Dacl 从应用 <ACLfile> 到指定目录中的文件。Applies stored DACLs from <ACLfile> to files in the specified directory. 要求将与参数一起使用 <directory>Requires using with the <directory> parameter.
/inheritancelevel:[e | d | r]/inheritancelevel:[e | d | r] 设置继承级别,可以是:Sets the inheritance level, which can be:
  • e -启用继承e - Enables inheritance
  • d -禁用继承并复制 aced - Disables inheritance and copies the ACEs
  • r -删除所有继承的 acer - Removes all inherited ACEs

备注Remarks

  • Sid 可以是数字或友好名称格式。SIDs may be in either numerical or friendly name form. 如果使用数字形式,请将通配符 * 到 SID 的开头。If you use a numerical form, affix the wildcard character * to the beginning of the SID.

  • 此命令保留 ACE 条目的规范顺序,如下所示:This command preserves the canonical order of ACE entries as:

    • 显式拒绝Explicit denials

    • 显式授予Explicit grants

    • 继承的拒绝Inherited denials

    • 继承的授权Inherited grants

  • <perm>选项是可通过以下形式之一指定的权限掩码:The <perm> option is a permission mask that can be specified in one of the following forms:

    • 一系列简单权限:A sequence of simple rights:

      • F -完全访问权限F - Full access

      • M-修改访问权限M- Modify access

      • RX -读取和执行访问RX - Read and execute access

      • R -只读访问R - Read-only access

      • W -只写访问W - Write-only access

    • 以逗号分隔的特定权限的列表(以逗号分隔):A comma-separated list in parenthesis of specific rights:

      • D -DeleteD - Delete

      • RC -读取控制RC - Read control

      • WDAC -写入 DACWDAC - Write DAC

      • WO 写入所有者WO - Write owner

      • S -同步S - Synchronize

      • 访问系统安全AS - Access system security

      • MA -允许的最大值MA - Maximum allowed

      • GR -通用读取GR - Generic read

      • GW -泛型写入GW - Generic write

      • GE -泛型执行GE - Generic execute

      • GA -一般全部GA - Generic all

      • RD -读取数据/列表目录RD - Read data/list directory

      • WD -写入数据/添加文件WD - Write data/add file

      • AD -追加数据/添加子目录AD - Append data/add subdirectory

      • REA -读取扩展属性REA - Read extended attributes

      • WEA -写入扩展属性WEA - Write extended attributes

      • X -执行/遍历X - Execute/traverse

      • DC -删除子项DC - Delete child

      • RA -读取属性RA - Read attributes

      • WA -写入属性WA - Write attributes

    • 继承权限可能在任一 <perm> 形式之前,只适用于目录:Inheritance rights may precede either <perm> form, and they are applied only to directories:

      • (OI) -对象继承(OI) - Object inherit

      • (CI) -容器继承(CI) - Container inherit

      • (IO) -仅继承(IO) - Inherit only

      • (NP) -不传播继承(NP) - Do not propagate inherit

示例Examples

若要将 C:\Windows 目录及其子目录中所有文件的 Dacl 保存到 ACLFile 文件,请键入:To save the DACLs for all files in the C:\Windows directory and its subdirectories to the ACLFile file, type:

icacls c:\windows\* /save aclfile /t

要还原 ACLFile 中存在的每个文件的 Dacl 及其子目录,请键入:To restore the DACLs for every file within ACLFile that exists in the C:\Windows directory and its subdirectories, type:

icacls c:\windows\ /restore aclfile

若要授予用户 User1 删除和写入名为 Test1 的文件的 DAC 权限,请键入:To grant the user User1 Delete and Write DAC permissions to a file named Test1, type:

icacls test1 /grant User1:(d,wdac)

若要向用户授予 SID S-1-1-0 删除和写入 DAC 权限的用户,请在名为 Test2 的文件中键入:To grant the user defined by SID S-1-1-0 Delete and Write DAC permissions to a file, named Test2, type:

icacls test2 /grant *S-1-1-0:(d,wdac)

其他参考Additional References