Setting a file to "Read-Only" in Windows with ICACLS

Question

I knew how to set a file Read-Only with cacls:

  cacls "toto.txt" //E //P Everyone:N
  cacls "toto.txt" //E //G Everyone:R

It removed all rights for everyone and then only added "Read" right.

How to do the same thing with icacls?

In particular, I tried:

icacls toto.txt /grant "everyone":R but the file is still writable
icacls toto.txt /deny "everyone":W but the file is not readable anymore

Jean-Francois T. · Accepted Answer · 2021-02-10T03:09:34.857

3

The problem is that access rights are inherited from the parent folder.

The following 2 lines will do the trick:

icacls toto.txt /inheritance:r
icacls toto.txt /grant "everyone":R

The first additional line will remove all inheritance.

Or even better, you could join them into a single line:

icacls toto.txt /inheritance:r /grant:r Everyone:R

edited Feb 10 '21 at 03:09

answered Sep 06 '18 at 07:04

Jean-Francois T.

620
2
7
19

When icacls denies "W", it also includes the SYNCHRONIZE right. – js2010 Apr 21 '20 at 22:07

js2010 · Answer 2 · 2020-04-25T13:09:09.933

This is a bug in icacls, to this day. The same goes for making folders read only. Denying "W" also denies the "SYNCHRONIZE" right.

You can see it with cacls:

Everyone:(DENY)(special access:)
                                    SYNCHRONIZE
                                    FILE_WRITE_DATA
                                    FILE_APPEND_DATA
                                    FILE_WRITE_EA
                                    FILE_WRITE_ATTRIBUTES

To get the result you want, you have to specify those other 4 rights explicitly:

icacls toto.txt /deny "everyone":(WD,AD,WEA,WA)

And then cacls will tell you SYNCHRONIZE is no longer denied, and the file is still readable.

Everyone:(DENY)(special access:)
                                    FILE_WRITE_DATA
                                    FILE_APPEND_DATA
                                    FILE_WRITE_EA
                                    FILE_WRITE_ATTRIBUTES

Icacls will give the same output after using either command, with or without synchronize:

Everyone:(DENY)(W)

See also this blog: I set the same ACL with the GUI and with icacls, yet the results are different

NOTE If you wonder what "Synchronize" does, here is a description:

"Synchronize

The Synchronize permission allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multiple-threaded, multiple-process programs."

Furthermore, .Net does not allow you to deny both write and synchronize. (Powershell). Icacls does something that's not even allowed in .Net. FileSystemAccessRights gets reduced to "Write" only.

New-Object System.Security.AccessControl.FileSystemAccessRule(
  'Users','Write, Synchronize','Deny')

FileSystemRights  : Write
AccessControlType : Deny
IdentityReference : Users
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

It’s unfortunate that this answer incorrectly states the behavior is a bug instead of intentional — Ramhound, Apr 21 '20 at 22:28
@js2010 Thanks for addition. It seems Synchronize is mainly for multi-thread / multi-process so I will believe it is fine for me ;) — Jean-Francois T., Apr 22 '20 at 09:35
I see it as a bug, since the command makes OneDrive ran into sync problem. — Raul Chiarella, Mar 29 '23 at 18:57

Setting a file to "Read-Only" in Windows with ICACLS

2 Answers2