顯示或修改指定檔案上的判別存取控制清單 (DACL),及套用預存的 DACL 到指定目錄中的檔案。Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.


此命令會取代已被取代的 cacls 命令This command replaces the deprecated cacls command.


icacls <filename> [/grant[:r] <sid>:<perm>[...]] [/deny <sid>:<perm>[...]] [/remove[:g|:d]] <sid>[...]] [/t] [/c] [/l] [/q] [/setintegritylevel <Level>:<policy>[...]]
icacls <directory> [/substitute <sidold> <sidnew> [...]] [/restore <aclfile> [/c] [/l] [/q]]


參數Parameter 描述Description
<filename> 指定要顯示 Dacl 的檔案。Specifies the file for which to display DACLs.
<directory> 指定要顯示 Dacl 的目錄。Specifies the directory for which to display DACLs.
/t/t 在目前目錄及其子目錄中的所有指定檔案上執行作業。Performs the operation on all specified files in the current directory and its subdirectories.
/c/c 即使有任何檔案錯誤,仍繼續操作。Continues the operation despite any file errors. 仍會顯示錯誤訊息。Error messages will still be displayed.
/l/l 在符號連結(而不是其目的地)上執行運算。Performs the operation on a symbolic link instead of its destination.
/q/q 抑制成功訊息。Suppresses success messages.
[/save <ACLfile> 一起/c/l[/q]][/save <ACLfile> [/t] [/c] [/l] [/q]] 將所有相符檔案的 Dacl 儲存到 ACLfile 中,以供稍後搭配 /restore 使用。Stores DACLs for all matching files into ACLfile for later use with /restore.
[/setowner <username> 一起/c/l[/q]][/setowner <username> [/t] [/c] [/l] [/q]] 將所有相符檔案的擁有者變更為指定的使用者。Changes the owner of all matching files to the specified user.
[/findsid <sid> 一起/c/l[/q]][/findsid <sid> [/t] [/c] [/l] [/q]] 尋找包含 DACL 的所有相符檔案,這些檔案會明確提及指定的安全識別碼 (SID) 。Finds all matching files that contain a DACL explicitly mentioning the specified security identifier (SID).
[/verify [/t] [/c] [/l] [/q]][/verify [/t] [/c] [/l] [/q]] 尋找具有不標準 Acl 的所有檔案,或長度不一致的檔案 (存取控制專案) 計數。Finds all files with ACLs that are not canonical or have lengths inconsistent with ACE (access control entry) counts.
[/reset [/t] [/c] [/l] [/q]][/reset [/t] [/c] [/l] [/q]] 以預設繼承的 Acl 取代所有相符檔案的 Acl。Replaces ACLs with default inherited ACLs for all matching files.
[/grant [: r] <sid> : [...]][/grant[:r] <sid>:[...]] 授與指定的使用者存取權限。Grants specified user access rights. 許可權會取代先前授與的明確許可權。Permissions replace previously granted explicit permissions.

若未新增 : r,表示會將許可權新增至任何先前授與的明確許可權。Not adding the :r, means that permissions are added to any previously granted explicit permissions.

[/deny <sid> : [...]][/deny <sid>:[...]] 明確拒絕指定的使用者存取權限。Explicitly denies specified user access rights. 系統會為指定的許可權新增明確的 deny ACE,並移除任何明確授與中的相同許可權。An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.
[/remove [:g | :d]] <sid>[...]一起/c/l一起[/remove[:g | :d]] <sid>[...] [/t] [/c] [/l] [/q] 從 DACL 中移除所有出現的指定 SID。Removes all occurrences of the specified SID from the DACL. 此命令也可以使用:This command can also use:
  • : g -移除指定之 SID 的所有已授與許可權。:g - Removes all occurrences of granted rights to the specified SID.
  • :d -移除指定之 SID 的所有已拒絕許可權。:d - Removes all occurrences of denied rights to the specified SID.
[/setintegritylevel [ (CI) (OI) ] <Level>:<Policy>[...]][/setintegritylevel [(CI)(OI)] <Level>:<Policy>[...]] 明確地將完整性 ACE 新增至所有相符的檔案。Explicitly adds an integrity ACE to all matching files. 層級可以指定為:The level can be specified as:
  • l -低l - Low
  • m-中型m- Medium
  • h -高h - High
完整性 ACE 的繼承選項可以在層級之前,而且只會套用至目錄。Inheritance options for the integrity ACE may precede the level and are applied only to directories.
[/substitute <sidold> <sidnew> [...]][/substitute <sidold> <sidnew> [...]] 以新的 SID 取代現有的 SID (sidold) (sidnew) 。Replaces an existing SID (sidold) with a new SID (sidnew). 需要搭配參數使用 <directory>Requires using with the <directory> parameter.
/restore <ACLfile> [/c] [/l] [/q]/restore <ACLfile> [/c] [/l] [/q] 將預存的 Dacl 套用 <ACLfile> 至指定目錄中的檔案。Applies stored DACLs from <ACLfile> to files in the specified directory. 需要搭配參數使用 <directory>Requires using with the <directory> parameter.
/inheritancelevel:[e | d | r]/inheritancelevel:[e | d | r] 設定繼承層級,它可以是:Sets the inheritance level, which can be:
  • e -啟用繼承e - Enables inheritance
  • d -停用繼承並複製 aced - Disables inheritance and copies the ACEs
  • r -移除所有繼承的 acer - Removes all inherited ACEs


  • Sid 可以是數位或易記名稱格式。SIDs may be in either numerical or friendly name form. 如果您使用數值格式,請將萬用字元 * 貼到 SID 的開頭。If you use a numerical form, affix the wildcard character * to the beginning of the SID.

  • 此命令會保留 ACE 專案的標準順序,如下所示:This command preserves the canonical order of ACE entries as:

    • 明確拒絕Explicit denials

    • 明確授與Explicit grants

    • 繼承拒絕Inherited denials

    • 繼承的授與Inherited grants

  • <perm> 選項是一種許可權遮罩,可使用下列其中一種形式來指定:The <perm> option is a permission mask that can be specified in one of the following forms:

    • 一系列的簡單許可權:A sequence of simple rights:

      • F -完整存取F - Full access

      • M-修改存取權M- Modify access

      • RX -讀取和執行存取RX - Read and execute access

      • R -唯讀存取R - Read-only access

      • W -僅限寫入存取W - Write-only access

    • 以括弧括住的特定許可權清單(以逗號分隔):A comma-separated list in parenthesis of specific rights:

      • D -刪除D - Delete

      • RC -讀取控制RC - Read control

      • WDAC -寫入 DACWDAC - Write DAC

      • WO -寫入擁有者WO - Write owner

      • S -同步處理S - Synchronize

      • 作為 存取系統安全性AS - Access system security

      • MA -允許的最大值MA - Maximum allowed

      • GR -泛型讀取GR - Generic read

      • GW -一般寫入GW - Generic write

      • GE -泛型執行GE - Generic execute

      • GA -一般全部GA - Generic all

      • RD -讀取資料/清單目錄RD - Read data/list directory

      • WD -Write data/add fileWD - Write data/add file

      • AD -附加資料/新增子目錄AD - Append data/add subdirectory

      • 反應 -讀取擴充屬性REA - Read extended attributes

      • WEA -寫入擴充屬性WEA - Write extended attributes

      • X -執行/遍歷X - Execute/traverse

      • DC -刪除子系DC - Delete child

      • RA -讀取屬性RA - Read attributes

      • WA -寫入屬性WA - Write attributes

    • 繼承許可權可以在其中一個 <perm> 表單上,而且只會套用至目錄:Inheritance rights may precede either <perm> form, and they are applied only to directories:

      • (OI) -物件繼承(OI) - Object inherit

      • (CI) -容器繼承(CI) - Container inherit

      • (IO) -僅限繼承(IO) - Inherit only

      • (NP) -不要傳播繼承(NP) - Do not propagate inherit


若要將 C:\Windows 目錄及其子目錄中所有檔案的 Dacl 儲存至 ACLFile 檔案,請輸入:To save the DACLs for all files in the C:\Windows directory and its subdirectories to the ACLFile file, type:

icacls c:\windows\* /save aclfile /t

若要針對存在於 C:\Windows 目錄及其子目錄中的 ACLFile 中的每個檔案還原 Dacl,請輸入:To restore the DACLs for every file within ACLFile that exists in the C:\Windows directory and its subdirectories, type:

icacls c:\windows\ /restore aclfile

若要授與使用者 User1 刪除和寫入 DAC 許可權至名為 Test1 的檔案,請輸入:To grant the user User1 Delete and Write DAC permissions to a file named Test1, type:

icacls test1 /grant User1:(d,wdac)

若要授與 SID S-1-1-0 所定義的使用者-刪除和寫入 DAC 許可權至名為 Test2 的檔案,請輸入:To grant the user defined by SID S-1-1-0 Delete and Write DAC permissions to a file, named Test2, type:

icacls test2 /grant *S-1-1-0:(d,wdac)

其他參考Additional References