Icacls Grant all users access to a folder including new files

batchbatch fileicaclsshared-folders

I use the following command (in an admin batch file) to grant all users (specifically users on the network) full access to a folder and all its contents:

Icacls %fold% /grant Everyone:F /inheritance:e /T

However, it is not applying these settings to files newly created. What am I missing in the Icacls command?

Best Answer

You're enabling inheritance for this item separately from its ACL entries. This means it will receive ACEs from its parent. It has absolutely nothing to do with whether it'll give its own custom ACEs to be inherited by children.

You have to mark each ACL entry as inheritable, separately for child files (object inherit) and child folders (container inherit):

icacls foo /grant Everyone:(OI)(CI)F

This is equivalent to the "Inherit: [Files and subfolders]" drop-down in Properties – Security – Advanced.

When you add ACEs marked inheritable, icacls will propagate them automatically and the /T option is unnecessary (maybe even slightly harmful).