How to grant permission to users for a directory using command line in Windows?

WindowsCommand PromptFile Permissions

Windows Problem Overview

How can I grant permissions to a user on a directory (Read, Write, Modify) using the Windows command line?

Windows Solutions

Solution 1 - Windows

As of Vista, cacls is deprecated. Here's the first couple of help lines:

NOTE: Cacls is now deprecated, please use Icacls.

Displays or modifies access control lists (ACLs) of files

You should use icacls instead. This is how you grant John full control over D:\test folder and all its subfolders:

C:\>icacls "D:\test" /grant John:(OI)(CI)F /T

According do MS documentation:

  • F = Full Control
  • CI = Container Inherit - This flag indicates that subordinate containers will inherit this ACE.
  • OI = Object Inherit - This flag indicates that subordinate files will inherit the ACE.
  • /T = Apply recursively to existing files and sub-folders. (OI and CI only apply to new files and sub-folders). Credit: comment by @AlexSpence.

For complete documentation, you may run "icacls" with no arguments or see the Microsoft documentation here and here

Solution 2 - Windows

You can also use ICACLS.

To grant the Users group Full Control to a folder:

>icacls "C:\MyFolder" /grant Users:F

To grant Modify permission to IIS users for C:\MyFolder (if you need your IIS has ability to R/W files into specific folder):

>icacls "C:\MyFolder" /grant IIS_IUSRS:M

If you do ICACLS /? you will be able to see all available options.

Solution 3 - Windows

Open a Command Prompt, then execute this command: > icacls "c:\somelocation\of\path" /q /c /t /grant Users:F

F gives Full Access.

/q /c /t applies the permissions to subfolders.

Note: Sometimes "Run as Administrator" will help.

Solution 4 - Windows

Use cacls command. See information here.

> CACLS files /e /p {USERNAME}:{PERMISSION} > > Where, > > /p : Set new permission > > /e : Edit permission and kept old permission as it is i.e. edit ACL instead of replacing it. > > {USERNAME} : Name of user > > {PERMISSION} : Permission can be: > > R - Read > > W - Write > > C - Change (write) > > F - Full control > > For example grant Rocky Full (F) control with following command (type at Windows command prompt): > > C:> CACLS files /e /p rocky:f > > Read complete help by typing following command: > > C:> cacls /?

Solution 5 - Windows

I try the below way and it work for me:

  1. open cmd.exe
  2. takeown /R /F *.*
  3. icacls * /T /grant [username]:(D)
  4. del *.* /S /Q

So that the files can become my own access and it assign to "Delete" and then I can delete the files and folders.

Solution 6 - Windows

Corrupt Permissions: Regaining access to a folder and its sub-objects

Although most of the answers posted in reply to the question have some merit, IMHO none of them give a complete solution. The following (might be) a perfect solution for Windows 7 if you are locked-out of a folder by corrupted permission settings:

icacls "c:\folder" /remove:d /grant:r Everyone:(OI)(CI)F /T  

For Windows 10 the user/SID must be specified after the /remove:d option:

icacls "c:\folder" /remove:d Everyone /grant:r Everyone:(OI)(CI)F /T  


  1. The command is applied to the specified directory.

  2. Specifying the user "Everyone" sets the widest possible permission, as it includes every possible user.

  3. The option "/remove:d" deletes any explicit DENY settings that may exist, as those override explicit ALLOW settings: a necessary preliminary to creating a new ALLOW setting. This is only a precaution, as there is often no DENY setting present, but better safe than sorry.

  4. The option "/grant" creates a new ALLOW setting, an explicit permission that replaces (":r") any and all explicit ALLOW settings that may exist.

  5. The "F" parameter (i.e. the permission created) makes this a grant of FULL control.

  6. The "/T" parameter adds recursion, applying these changes to all current sub-objects in the specified directory (i.e. files and subfolders), as well as the folder itself.

  7. The "(OI)" and "(CI)" parameters also add recursion, applying these changes to sub-objects created subsequently.

ADDENDUM (2019/02/10) -

The Windows 10 command line above was kindly suggested to me today, so here it is. I haven't got Windows 10 to test it, but please try it out if you have (and then will you please post a comment below).

The change only concerns removing the DENY setting as a first step. There might well not be any DENY setting present, so that option might make no difference. My understanding is, on Windows 7, that you don't need to specify a user after /remove:d but I might be wrong about that!


ADDENDUM (2019/11/21) -

User astark recommends replacing Everyone with the term *S-1-1-0 in order for the command to be language independent. I only have an English install of Windows, so I can't test this proposal, but it seems reasonable.

Solution 7 - Windows

I struggled with this for a while and only combining the answers in this thread worked for me (on Windows 10):

  1. Open cmd or PowerShell and go to the folder with files
  2. takeown /R /F .
  3. icacls * /T /grant dan:F

Good luck!

Solution 8 - Windows

With an Excel vba script to provision and create accounts. I was needing to grant full rights permissions to the folder and subfolders that were created by the tool using our administrators 'x' account to our new user.

cacls looked something like this: cacls \FileServer\Users\Username /e /g Domain\Username:C

I needed to migrate this code to Windows 7 and beyond. My solution turned out to be:

icacls \FileServer\Users\Username /grant:r Domain\Username:(OI)(CI)F /t

/grant:r - Grants specified user access rights. Permissions replace previously granted explicit permissions. Without :r, permissions are added to any previously granted explicit permissions

(OI)(CI) - This folder, subfolders, and files.

F - Full Access

/t - Traverse all subfolders to match files/directories.

What this gave me was a folder on this server that the user could only see that folder and created subfolders, that they could read and write files. As well as create new folders.

Solution 9 - Windows

Just in case there is anyone else that stumbles on this page, if you want to string various permissions together in the one command, I used this:

icacls "c:\TestFolder" /grant:r Test_User:(OI)(CI)(RC,RD,RX)

Note the csv string for the various permissions.

Solution 10 - Windows

XCACLS.VBS is a very powerful script that will change/edit ACL info. c:\windows\system32\cscript.exe xcacls.vbs help returns all switches and options.

You can get official distribution from Microsoft Support Page

Solution 11 - Windows

Bulk folder creation and grant permission works me by using the below powershell script.

Import-Csv "D:\Scripts\foldernames.csv" | foreach-object {
    $username = $_.foldername 
    # foldername is the header of csv file

    $domain = “”
    $folder= "D:\Users"

    $domainusername = $domain+“\”+$username

    New-Item $folder\$username –Type Directory

    Get-Acl $folder\$username  

    $acl = Get-Acl $folder\$username

    $acl.SetAccessRuleProtection($True, $False)

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Admins","Read", "ContainerInherit, ObjectInherit", "None", "Allow")

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainusername,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")

    Set-Acl $folder\$username $acl

Note: You have to create same domain username in csv file otherwise you will get permission issues

Solution 12 - Windows

attrib +r +a +s +h <folder name> <file name> to hide
attrib -r -a -s -h <folder name> <file name> to unhide

Solution 13 - Windows

excellent point Călin Darie

I had a lot of scripts to use cacls I move them to icacls how ever I could not find a script to change the root mount volumes example: d:\datafolder. I finally crated the script below, which mounts the volume as a temporary drive then applies sec. then unmounts it. It is the only way I found that you can update the root mount security.

1 gets the folder mount GUID to a temp file then reads the GUID to mount the volume as a temp drive X: applies sec and logs the changes then unmounts the Volume only from the X: drive so the mounted folder is not altered or interrupted other then the applied sec.

here is sample of my script:

**mountvol "d:\%1" /L >tempDrive.temp && FOR /f "tokens=*" %%I IN (tempDrive.temp) DO mountvol X: %%I 
D:\tools\security\icacls.exe  %~2 /grant domain\group:(OI)(CI)F /T /C >>%~1LUNsec-%TDWEEK%-%TMONTH%-%TDAY%-%TYEAR%-%THOUR%-%TMINUTE%-%TAM%.txt
if exist x:\*.* mountvol X: /d**

Solution 14 - Windows

I am Administrator and some script placed "Deny" permission on my name on all files and subfolders in a directory. Executing the icacls "D:\test" /grant John:(OI)(CI)F /T command did not work, because it seemed it did not remove the "Deny" right from my name from this list.

The only thing that worked for me is resetting all permissions with the icacls "D:\test" /reset /T command.

Solution 15 - Windows

  1. navigate to top level directory you want to set permissions to with explorer
  2. type cmd in the address bar of your explorer window
  3. enter icacls . /grant John:(OI)(CI)F /T where John is the username
  4. profit

Just adding this because it seemed supremely easy this way and others may profit - all credit goes to Călin Darie.

Solution 16 - Windows

in windows 10 working without "c:>" and ">"

For example:

F = Full Control
/e : Edit permission and kept old permission
/p : Set new permission

> cacls "file or folder path" /e /p UserName:F

(also this fixes error 2502 and 2503)

> cacls "C:\Windows\Temp" /e /p UserName:F

Solution 17 - Windows

This is what worked for me:

  1. Manually open the folder for which the access is denied.

  2. Select the Executable/application file in that folder.

  3. Right-click on it and go to Properties -> Compatibility

  4. Now see the Privilege Level and check it for Run As Administrator

  5. Click on Change Settings for all users.

The problem is solved now.


All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionAmitabhView Question on Stackoverflow
Solution 1 - WindowsCălin DarieView Answer on Stackoverflow
Solution 2 - WindowsVin.XView Answer on Stackoverflow
Solution 3 - WindowsSireesh YarlagaddaView Answer on Stackoverflow
Solution 4 - WindowsJorge FerreiraView Answer on Stackoverflow
Solution 5 - WindowsRay HuangView Answer on Stackoverflow
Solution 6 - WindowsEd999View Answer on Stackoverflow
Solution 7 - WindowsDaniil ShevelevView Answer on Stackoverflow
Solution 8 - WindowsGusView Answer on Stackoverflow
Solution 9 - WindowsAdsView Answer on Stackoverflow
Solution 10 - Windowsg222View Answer on Stackoverflow
Solution 11 - Windowsuser2934980View Answer on Stackoverflow
Solution 12 - WindowsYashwanthView Answer on Stackoverflow
Solution 13 - WindowsHandyMannyHEView Answer on Stackoverflow
Solution 14 - WindowsB. ZoliView Answer on Stackoverflow
Solution 15 - Windowsuser2305193View Answer on Stackoverflow
Solution 16 - WindowsDao1988View Answer on Stackoverflow
Solution 17 - WindowsMAYURView Answer on Stackoverflow