Although the Graphical User Interface (GUI) can be a powerful and easy way to set permissions and access control lists in Vista, Vista also ships with a utility called ICACLS. This utility replaces the CACLS utility found in XP.

The ICACLS utility lets you display, modify, backup and restore Access Control Lists (ACLs) for files and folders. ICACLS can apply the same permissions to an entire tree, as well as edit existing permissions. This allows you to precisely control how permissions are added or removed one group (or user) at a time without disturbing other permissions that exist on the system.

The basic format of the ICACLS command is ICACLS <name> [Options], where <name> is the name of the file or directory to be modified. The filename can contain wildcards, allowing the same command to be run across multiple files. If you run ICACLS on a file without any options, instead of changing the access control list on the file, ICACLS will display the existing access control list. There are several options for ICACLS.

The option for adding a new group or user is the /grant option. The /grant option is followed by the name of the group or user, a colon, and the kind of access to be granted. The kind of simple access that can be granted includes:

• “r” for read only
• “w” for write access
• “f ” for full access
• “m” for modify
• “rx” for read and execute

For example, to give a group called Sales read permissions to a file named userfile.doc, the command would look like this:

ICACLS userfile.doc /grant Sales:(r)

Removing a user from access to a file is similar. Instead of /grant, you use /remove. Thus, the command to remove access from user-file.doc for the Sales group would be:

ICACLS userfile.doc /remove Sales:(r)