The previous installment of this article provided some basic examples for using the ICACLS command. However, in reality, the ICACLS command can accept any number of grant and remove commands stacked on the same command line. This means that the syntax of the command can look like:

ICACLS userfile.doc /grant Sales:(r) /grant Readers:(r) /grant Managers:(f)

Another option you should be aware of is the /deny option. This option causes a deny access control entry to be added to the access control list for the specified user or group. Because security is such that any deny takes priority over any allow, you can effectively prevent a user or group from having access to a file. So, if you wanted to explicitly deny access to a file from the user account baduser, you could execute:

ICACLS userfile.doc /deny BadUser

On a similar note, if your user names or groups have spaces in them, you will need to enclose them in quotes. This will prevent them from being processed as more than one parameter. For example, if you wanted to grant the Domain Admins group full access to a file, you could execute:

CACLS userfile.doc /grant “Domain Admins”:(F)